Report text available as:

  • TXT
  • PDF   (PDF provides a complete and accurate display of this text.) Tip ?

116th Congress   }                                       {  Rept. 116-341
                         HOUSE OF REPRESENTATIVES
 1st Session     }                                       {     Part 1

======================================================================



 
PROTECTING AND SECURING CHEMICAL FACILITIES FROM TERRORIST ATTACKS ACT 
                                OF 2019

                                _______
                                

               December 12, 2019.--Ordered to be printed

                                _______
                                

 Mr. Thompson of Mississippi, from the Committee on Homeland Security, 
                        submitted the following

                              R E P O R T

                             together with

                             MINORITY VIEWS

                        [To accompany H.R. 3256]

      [Including cost estimate of the Congressional Budget Office]

    The Committee on Homeland Security, to whom was referred 
the bill (H.R. 3256) to amend the Homeland Security Act of 2002 
to reauthorize and improve the Chemical Facility Anti-Terrorism 
Standards Program, and for other purposes, having considered 
the same, report favorably thereon with an amendment and 
recommend that the bill as amended do pass.

                                CONTENTS

                                                                   Page
Purpose and Summary..............................................    11
Background and Need for Legislation..............................    11
Hearings.........................................................    12
Committee Consideration..........................................    13
Committee Votes..................................................    13
Committee Oversight Findings.....................................    13
C.B.O. Estimate, New Budget Authority, Entitlement Authority, and 
  Tax Expenditures...............................................    14
Federal Mandates Statement.......................................    17
Statement of General Performance Goals and Objectives............    17
Duplicative Federal Programs.....................................    17
Congressional Earmarks, Limited Tax Benefits, and Limited Tariff 
  Benefits.......................................................    17
Advisory Committee Statement.....................................
Applicability to Legislative Branch..............................
Section-by-Section Analysis of the Legislation...................    17
Changes in Existing Law Made by the Bill, as Reported............    28
Minority Views...................................................    53

    The amendment is as follows:
  Strike all after the enacting clause and insert the 
following:

SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

  (a) Short Title.--This Act may be cited as the ``Protecting and 
Securing Chemical Facilities from Terrorist Attacks Act of 2019''.
  (b) Table of Contents.--The table of contents for this Act is as 
follows:

Sec. 1. Short title; table of contents.
Sec. 2. Definitions.
Sec. 3. Chemical Facility Anti-Terrorism Standards Program.
Sec. 4. Protection and sharing of information.
Sec. 5. Civil enforcement.
Sec. 6. Whistleblower protection.
Sec. 7. Chemical Security Advisory Committee.
Sec. 8. Implementation plan and report to Congress.
Sec. 9. Study on risks posed by excluded facilities.
Sec. 10. Study on feasibility of waiver program.
Sec. 11. Review of tiering methodology.
Sec. 12. Comptroller General reports.
Sec. 13. Voluntary mechanism for reporting drones and other emerging 
threats.
Sec. 14. Regulations regarding specific products and mixtures 
containing chemicals of interest.
Sec. 15. Voluntary program.
Sec. 16. Study on local emergency response capacity to respond to 
chemical security incidents.
Sec. 17. Previously approved facilities.
Sec. 18. Termination.

SEC. 2. DEFINITIONS.

  Section 2101 of the Homeland Security Act of 2002 (6 U.S.C. 621) is 
amended--
          (1) in paragraph (4)(E), by striking ``subject to 
        regulation'' and inserting ``regulated'';
          (2) in paragraph (5)--
                  (A) in subparagraph (A), by striking ``that is in 
                effect on the day before the date of enactment of the 
                Protecting and Securing Chemical Facilities from 
                Terrorist Attacks Act of 2014;'' and inserting ``or 
                this title''; and
                  (B) in subparagraph (B), by striking ``that is in 
                effect on the day before the date of enactment of the 
                Protecting and Securing Chemical Facilities from 
                Terrorist Attacks Act of 2014;'' and inserting ``or 
                this title'';
          (3) by striking paragraphs (6), (7), and (8); and
          (4) by redesignating paragraphs (9) through (14) as 
        paragraphs (6) through (11), respectively.

SEC. 3. CHEMICAL FACILITY ANTI-TERRORISM STANDARDS PROGRAM.

  (a) Additional CFATS Program Requirement.--Section 2102(a)(2) of such 
Act (6 U.S.C. 622) is amended--
          (1) in subparagraph (C), by striking ``and'' at the end;
          (2) in subparagraph (D), by striking the period and inserting 
        ``; and'' ; and
          (3) by adding at the end the following new subparagraph:
                  ``(E) verify information submitted by a covered 
                chemical facility prior to assigning such facility a 
                lower risk tier or determining that such facility no 
                longer presents a high level of security risk.''.
  (b) Employee Input Regarding Security Measures.--Paragraph (2) of 
subsection (b) of section 2102 of such Act (6 U.S.C. 622) is amended to 
read as follows:
          ``(2) Employee consultation and awareness.--
                  ``(A) Employee consultation requirement.--A 
                facility's security vulnerability assessment and site 
                security plan shall be developed in consultation with--
                          ``(i) at least one facility employee, in 
                        addition to the facility security officer or 
                        other individual who serves as a point of 
                        contact under section 27.230(a)(17) of title 6, 
                        Code of Federal Regulations, and the 
                        corresponding guidance issued under section 
                        27.220(d) of such title, or any successor 
                        thereto, who possesses relevant knowledge, 
                        experience, training, or education pertaining 
                        to matters of site security.
                          ``(ii) in the case of a facility where 
                        facility employees are represented by a 
                        bargaining agent, at least one employee 
                        representative who--
                                  ``(I) is selected by the bargaining 
                                agent at that facility; and
                                  ``(II) has relevant knowledge, 
                                experience, training, or education 
                                pertaining to matters of site security.
                  ``(B) Record of employee consultation.--A covered 
                chemical facility shall maintain a written record of 
                the employee consultation required by subparagraph (A), 
                including a record of--
                          ``(i) the name of the employee with whom the 
                        facility security officer or other similar 
                        official consulted;
                          ``(ii) how often and when such consultation 
                        took place;
                          ``(iii) what mechanisms the facility used to 
                        capture feedback; and
                          ``(iv) any recommendations that were offered, 
                        accepted, or rejected as part of the security 
                        vulnerability assessment or site security plan.
                  ``(C) Access to employees.--Each owner or operator of 
                a covered chemical facility shall, upon request, 
                provide to an employee of the Department engaged in 
                carrying out audits and inspections of such facility 
                access to any employee who participated in the 
                development of the facility's security vulnerability 
                assessment and site security plan.
                  ``(D) Employee awareness.--The Secretary shall 
                produce a poster that a chemical facility of interest 
                shall display in areas accessible to facility employees 
                to inform employees about requirements under this title 
                and the whistleblower protections provided under 
                section 2105.''.
  (c) Site Security Plans.--
          (1) Disapproval.--Subsection (c)(1)(B) of section 2102 of 
        such Act (6 U.S.C. 622) is amended--
                  (A) in clause (i), by striking ``and'' at the end; 
                and
                  (B) by amending clause (ii) to read as follows:
                          ``(ii) shall disapprove a site security plan 
                        if--
                                  ``(I) the plan fails to satisfy the 
                                risk-based performance standards 
                                established pursuant to subsection 
                                (a)(2)(C); or
                                  ``(II) the plan fails to include the 
                                name, organizational affiliation, and 
                                phone number of a local emergency 
                                manager or local emergency response 
                                provider and a documented policy to 
                                contact the local emergency manager or 
                                local emergency response provider at 
                                least annually regarding emergency 
                                response plans at the facility.''.
          (2) Assessments.--Paragraph (3) of subsection (c) of such 
        section is amended to read as follows:
          ``(3) Site security plan assessments.--In approving or 
        disapproving a site security plan under this subsection, the 
        Secretary shall--
                  ``(A) employ the risk assessment policies and 
                procedures developed under this title; and
                  ``(B) confirm that the covered chemical facility has 
                complied with the employee consultation requirements in 
                paragraph (2) of subsection (b), including by reviewing 
                and recording compliance with the record-keeping 
                requirements under subparagraph (B) of that 
                paragraph.''.
  (d) Elimination of Expedited Approval Program.--Section 2102(c) of 
such Act (6 U.S.C. 622) is amended by striking paragraph (4).
  (e) Audits and Inspections.--
          (1) Authority to conduct.--Subparagraph (B) of paragraph (1) 
        of subsection (d) of section 2102 of such Act (6 U.S.C. 622) is 
        amended by striking ``under this title using'' and inserting 
        ``at chemical facilities of interest and covered chemical 
        facilities and shall obtain information and records to ensure 
        compliance with this title. Such audits and inspections shall 
        be conducted using''.
          (2) Reporting structure.--Subparagraph (D) of such paragraph 
        is amended--
                  (A) in clause (i), by inserting ``, or any successor 
                organization that implements the requirements of 
                subsection (a)(2),'' after ``Department''; and
                  (B) in clause (ii), by inserting ``, or any successor 
                organization that implements the requirements of 
                subsection (a)(2),'' after ``Department''.
          (3) Standards for auditors and inspectors.--Subparagraph (E) 
        of such paragraph is amended--
                  (A) in the matter preceding clause (i)--
                          (i) by striking ``The Secretary'' and 
                        inserting ``For each individual responsible for 
                        carrying out audits or inspections on behalf of 
                        the Secretary, the Secretary'';
                          (ii) by inserting ``to ensure such 
                        individuals receive'' before ``the training''; 
                        and
                          (iii) by striking ``and retraining of each 
                        individual used by the Department as an auditor 
                        or inspector, including each individual 
                        employed by the Department and all 
                        nondepartmental or nongovernmental personnel'' 
                        and inserting ``, continuing education, and 
                        other professional development tools necessary 
                        to carry out duties and responsibilities''; and
                  (B) in clause (i), by striking ``requirements'' and 
                inserting ``necessary to audit and inspect compliance 
                with all aspects of the risk-based performance 
                standards, including standards related to 
                cybersecurity,'';
                  (C) by redesignating clauses (vi) and (vii) as 
                clauses (vii) and (viii), respectively; and
                  (D) by inserting after clause (v) the following new 
                clause:
                          ``(vi) the proper credential or certification 
                        necessary to conduct inspections related to the 
                        cybersecurity standard.''.
          (4) Emergency response plans.--Such subsection is further 
        amended by adding at the end the following new paragraph:
          ``(4) Audit of emergency response plan.--As part of the audit 
        and inspection process under this subsection, the Secretary 
        shall annually confirm compliance of a chemical facility with 
        the requirements under subsection (c)(1)(B)(ii)(II) including 
        adherence to the facility's documented policy to contact the 
        local emergency manager or local emergency response provider at 
        least annually regarding emergency response plans at the 
        facility under such subsection.''.
  (f) Risk Assessment.--Section 2102(e) of such Act (6 U.S.C. 622(e)) 
is amended--
          (1) in paragraph (2)(B)--
                  (A) in the matter preceding clause (i), by inserting 
                ``and other malicious acts'' after ``terrorism''; and
                  (B) in clause (ii), by striking ``severe economic 
                consequences and the potential loss of human life in 
                the event of the facility being subject to attack, 
                compromise, infiltration, or exploitation by 
                terrorists'' and inserting ``consequences in event of 
                the facility being subject to attack, compromise, 
                infiltration, or the exploitation of chemicals of 
                interest by a terrorist or other malicious actor'';
          (2) in paragraph (3)--
                  (A) in subparagraph (A)--
                          (i) by redesignating clauses (i) and (ii) as 
                        clauses (ii) and (iii), respectively;
                          (ii) by inserting before clause (ii), as so 
                        redesignated, the following new clause (i):
                          ``(i) the Secretary determines that a 
                        chemical facility of interest does not present 
                        a high level of security risk;''; and
                          (iii) in clause (iii), as so redesignated, by 
                        inserting ``or chemical facility of interest'' 
                        after ``covered chemical facility'';
                  (B) in subparagraph (B)--
                          (i) by striking ``information on'' and all 
                        that follows and inserting ``information on--
                        ''; and
                          (ii) by adding at the end the following 
                        clauses:
                          ``(i) how the Secretary confirmed the 
                        information that was the basis for the change 
                        or determination described in subparagraph (A); 
                        and
                          ``(ii) actions taken or practices employed by 
                        the facility to reduce or remove terrorism-
                        related chemical security risks, where 
                        applicable.''; and
                  (C) by adding at the end the following new 
                subparagraph:
                  ``(C) Treatment of certain information.--For the 
                purposes of subsection (a) of section 2103--
                          ``(i) information described in subparagraph 
                        (B)(i) shall be given protections from public 
                        disclosure under such subsection; and
                          ``(ii) information described in subparagraph 
                        (B)(ii) shall not be given protections from 
                        public disclosure under such subsection.'';
          (3) by redesignating paragraph (4) as paragraph (7);
          (4) by inserting after paragraph (3) the following new 
        paragraphs:
          ``(4) Sharing information with emergency response 
        providers.--
                  ``(A) In general.--The Secretary shall make available 
                to State, local, and regional fusion centers (as that 
                term is defined in section 210A(j)(1) of this Act) and 
                State and local government officials such information 
                as the Secretary determines necessary to ensure that 
                emergency response providers are prepared and provided 
                with the situational awareness needed to respond to 
                security incidents at covered chemical facilities.
                  ``(B) Dissemination.--The Secretary shall disseminate 
                information under subparagraph (A) to individuals 
                identified and entities described in such subparagraph 
                in a secure and expeditious manner.
          ``(5) Practices that may reduce chemical security risks.--
                  ``(A) In general.--Based on the information 
                maintained under paragraph (3)(B)(ii) regarding actions 
                taken or practices employed by chemical facilities of 
                interest to successfully reduce or remove terrorism-
                related chemical security risks, the Secretary shall 
                develop voluntary, publicly available practices that 
                could be used to guide other facility owners and 
                operators in preventing, reducing, and mitigating 
                chemical security risks.
                  ``(B) Treatment of sensitive information.--In 
                developing and disseminating practices under 
                subparagraph (A), the Secretary shall protect from 
                public disclosure all information described in section 
                2103(a).
          ``(6) Congressional notification.--Any time a determination 
        is not made with respect to a chemical facility of interest 
        within 9 months of the facility submitting a Top-Screen, the 
        Secretary shall notify the Committees on Homeland Security and 
        Energy and Commerce of the House and the Committee on Homeland 
        Security and Governmental Affairs of the Senate and provide an 
        explanation.''; and
          (5) in paragraph (6), as redesignated by paragraph (3) of 
        this subsection--
                  (A) in subparagraph (B)(i)(I)--
                          (i) in item (aa), by striking ``or'' at the 
                        end;
                          (ii) in item (bb), by striking ``and'' and 
                        inserting ``or''; and
                          (iii) by adding at the end the following new 
                        item:
                                          ``(cc) determined that a 
                                        chemical facility of interest 
                                        did not present a high level of 
                                        risk; and'';
                  (B) by amending subparagraph (C) to read as follows:
                  ``(C) for the period beginning on the date that is 
                one year before the date of the enactment of the 
                Protecting and Securing Chemical Facilities from 
                Terrorist Attacks Act of 2019 and ending on the date of 
                the enactment of such Act, the average length of time 
                required to--
                          ``(i) review and approve site security plans 
                        or alternative security programs for covered 
                        chemical facilities;
                          ``(ii) ensure a facility has achieved full 
                        implementation of planned security measures; 
                        and
                          ``(iii) conduct a compliance inspection, 
                        including the average length of time inspectors 
                        spend on an individual compliance 
                        inspection;'';
                  (C) in subparagraph (E), by striking ``and'' at the 
                end;
                  (D) by redesignating subparagraph (F) as subparagraph 
                (I); and
                  (E) by inserting after subparagraph (E) the following 
                new subparagraphs:
                  ``(F) a detailed summary of reports and other 
                information generated under paragraph (3) regarding 
                facilities that receive a change in tier or that are 
                determined not to present a high level of security 
                risk;
                  ``(G) a detailed summary of practices identified and 
                disseminated under such paragraph;
                  ``(H) actions taken and results produced in 
                implementing the practices, to the extent feasible; 
                and''.
  (g) Specific Products and Mixtures.--Such section (6 U.S.C. 622) is 
further amended by adding at the end the following new subsection:
  ``(f) Specific Products and Mixtures Containing Chemicals of 
Interest.-- The Secretary may exclude a specific product or mixture 
that contains a chemical of interest at or above the minimum 
concentration listed on Appendix A to part 27 of title 6, Code of 
Federal Regulations, or any successor thereto, from any reporting 
requirements under this section if the Secretary determines that the 
product or mixture does not present a terrorism risk for which the 
chemical of interest contained within the product or mixture was 
included on Appendix A.''.

SEC. 4. PROTECTION AND SHARING OF INFORMATION.

  Section 2103 of the Homeland Security Act of 2002 (6 U.S.C. 623) is 
amended--
          (1) by striking subsections (b), (c), and (f); and
          (2) by inserting after subsection (a) the following new 
        subsections (b) and (c):
  ``(b) Authorized Recipients of Information.--The Secretary shall make 
available, upon request, information protected pursuant to subsection 
(a) to the following recipients:
          ``(1) State and local government officials, including law 
        enforcement and emergency response providers, with respect to 
        information on any chemical facility of interest within the 
        jurisdiction of the official, but only if such information may 
        not be disclosed pursuant to any State or local law.
          ``(2) Members of Congress.
          ``(3) Members of the Chemical Security Advisory Committee 
        under section 2010, in the course of conducting official duties 
        and responsibilities as described in such section.
          ``(4) The Comptroller General of the United States.
  ``(c) Information Developed for Other Purposes.--Nothing in this 
section shall be construed to prohibit a chemical facility of interest 
from disclosing information that was not created solely for the purpose 
of meeting the requirements of this title.''.

SEC. 5. CIVIL ENFORCEMENT.

  Section 2104 of the Homeland Security Act of 2002 (6 U.S.C. 624) is 
amended--
          (1) in subsection (a)(1)--
                  (A) in subparagraph (A)(i), by striking ``14 days 
                after date on which'' and inserting ``three days after 
                the date on which''; and
                  (B) in subparagraph (B), by striking ``180 days'' and 
                inserting ``30 days'';
          (2) in subsection (b)(2), by inserting ``section 
        2102(a)(2)(B) or any requirement issued by the Secretary 
        thereunder'' after ``comply with'';
          (3) in subsection (c), by inserting ``or other malicious 
        act'' after ``terrorist incident''; and
          (4) in subsection (d), by inserting ``, except as provided in 
        section 2105(a)(5) regarding whistleblower retaliation'' before 
        the period at the end.

SEC. 6. WHISTLEBLOWER PROTECTION.

  Section 2105 of the Homeland Security Act of 2002 (6 U.S.C. 625) is 
amended--
          (1) in subsection (a)--
                  (A) in paragraph (1), by striking ``Not later than 
                180 days after the date of enactment of the Protecting 
                and Securing Chemical Facilities from Terrorist Attacks 
                Act of 2014, the Secretary'' and inserting ``The 
                Secretary'';
                  (B) by amending paragraph (2) to read as follows:
          ``(2) Confidentiality.--
                  ``(A) In general.--Except as provided in subparagraph 
                (B), in the absence of the written consent of an 
                individual who submits a report under paragraph (1)--
                          ``(i) the Secretary shall keep confidential 
                        the identity of and any identifying information 
                        relating to that individual; and
                          ``(ii) any such report shall be subject to 
                        the protections on information under section 
                        2103 of this Act to the extent that the report 
                        does not consist of publicly available 
                        information.
                  ``(B) Notice.--In a case in which it is necessary to 
                disclose the identity of or any identifying information 
                relating to an individual who submits a report under 
                paragraph (1) because it is essential to investigate 
                the information contained in the report or because of 
                compulsory legal process, the Secretary shall provide 
                timely advance notice to the individual of such 
                disclosure.'';
                  (C) by amending paragraph (3) to read as follows:
          ``(3) Response to reports.--If a report submitted under 
        paragraph (1) contains information identifying the individual 
        making the report, the Secretary, or the designee of the 
        Secretary shall, by not later than 15 days after the date on 
        which the report is received, respond to the individual 
        directly and acknowledge receipt of the report.'';
                  (D) in paragraph (5)--
                          (i) by amending subparagraph (C) to read as 
                        follows:
                  ``(C) Opportunity for review.--In any action under 
                paragraph (4) that is based on information received 
                under the procedure established under paragraph (1), 
                the Secretary shall provide for review of the action if 
                a petition for review is filed within 20 calendar days 
                of the date of issuance of the order for the action.'';
                          (ii) in subparagraph (D)--
                                  (I) by striking ``unless the 
                                Secretary determines'' and inserting 
                                ``, except that the Secretary may 
                                provide for a 30-day extension if the 
                                Secretary determines'';
                                  (II) by striking ``that the violation 
                                providing a basis for the action 
                                continues to exist.'' and inserting 
                                ``that--''; and
                                  (III) by adding at the end the 
                                following new clauses:
                          ``(i) the violation providing a basis for the 
                        action continues to exist; or
                          ``(ii) such period is insufficient to 
                        complete the review of the action.''; and
                  (E) in paragraph (6)--
                          (i) in subparagraph (A), by striking 
                        ``discharge an employee or otherwise 
                        discriminate against an employee with respect 
                        to the compensation provided to, or terms, 
                        conditions, or privileges of the employment of, 
                        the employee because the employee (or an 
                        individual acting pursuant to a request of the 
                        employee) submitted a report under paragraph 
                        (1).'' and inserting ``discharge an employee or 
                        otherwise discriminate against an employee or 
                        former employee with respect to the 
                        compensation provided to, or terms, conditions, 
                        or privileges associated with current or past 
                        employment of, the employee or former employee 
                        because the employee or former employee (or an 
                        individual acting pursuant to a request of the 
                        employee or former employee) submitted a report 
                        under paragraph (1).''; and
                          (ii) in subparagraph (B), in the matter 
                        preceding clause (i), by--
                                  (I) inserting ``or former employee'' 
                                after ``An employee''; and
                                  (II) inserting ``or former employee 
                                (or an individual acting pursuant to a 
                                request of the employee or former 
                                employee)'' after ``the employee''; and
                          (iii) by adding at the end the following new 
                        subparagraph:
                  ``(C) Procedure and remedy.--
                          ``(i) In general.--The Secretary shall 
                        establish a procedure for the review and 
                        investigation of complaints of reprisals 
                        prohibited under subparagraph (A) and for 
                        remedies for violations of such subparagraph.
                          ``(ii) Judicial remedies.--Nothing in this 
                        title shall be construed to deny an individual 
                        who submits a complaint for any reprisal 
                        prohibited under subparagraph (A) from seeking 
                        a judicial remedy against the owner or operator 
                        of the chemical facility of interest as long as 
                        the individual has exhausted administrative 
                        remedies.''; and
          (2) by striking subsection (d).

SEC. 7. CHEMICAL SECURITY ADVISORY COMMITTEE.

  (a) In General.--Title XXI of the Homeland Security Act of 2002 (6 
U.S.C. 621 et seq.) is amended by adding at the end the following new 
section:

``SEC. 2110. CHEMICAL SECURITY ADVISORY COMMITTEE.

  ``(a) Establishment.--The Secretary shall establish a standing 
Chemical Security Advisory Committee to advise the Secretary on the 
implementation of this title.
  ``(b) Membership.--
          ``(1) In general.--The Advisory Committee shall be comprised 
        of 12 members selected by the Secretary, which shall include at 
        least one individual who is a multi-disciplinary stakeholder 
        with scientific or other expertise representing each of the 
        following:
                  ``(A) Industry.
                  ``(B) Academia.
                  ``(C) Labor.
                  ``(D) Emergency response providers.
                  ``(E) Local emergency planners.
                  ``(F) Environmental, community, or public health 
                advocates, particularly for communities with high 
                concentrations of covered chemical facilities.
                  ``(G) Cybersecurity and information policy.
          ``(2) Terms.--Each member shall be appointed for an initial 
        term of three years and may be reappointed for one additional 
        three-year term.
          ``(3) Chair.--The Committee shall have a chair, who shall be 
        selected by the members of the Committee.
          ``(4) Pay.--Members shall serve without pay.
          ``(5) Quorum.--A majority of members of the Advisory 
        Committee shall constitute a quorum but a lesser number may 
        hold hearings.
  ``(c) Subcommittees.--The Advisory Committee may establish 
subcommittees to assesses and recommend improvements to the risk 
tiering methodology for chemical facilities, the risk-based performance 
standards for chemical facilities, risk reduction strategies, and other 
aspects of the program under this title as the Secretary determines 
appropriate.
  ``(d) Information Protection.--Members of Advisory Committee shall 
maintain information protections pursuant to section 2103 of this Act. 
Any member who needs to access classified information to carry out 
assessments and recommendations for improving the risk tiering 
methodology for chemical facilities shall have an appropriate security 
clearance.
  ``(e) Annual Report.--
          ``(1) Submission to the secretary.--Not later than January 30 
        each year, the chair shall submit to the Secretary a report on 
        the activities of the Committee during the year preceding the 
        year during which the report is submitted.
          ``(2) Submission to congress.--Not later than 45 days after 
        receiving a report from the Advisory Committee under paragraph 
        (1), the Secretary shall provide to the Committees on Homeland 
        Security and Energy and Commerce of the House of 
        Representatives and the Committee on Homeland Security and 
        Governmental Affairs of the Senate a copy of the report 
        together with any Secretarial feedback on the report.
  ``(f) Applicability of FACA.--The Federal Advisory Committee Act (5 
U.S.C. App.) shall not apply to the Committee established under this 
section.''.
  (b) Clerical Amendment.--The table of contents in section 1(b) of 
such Act is amended by inserting after the item relating to section 
2109 the following new item:

``2110. Chemical Security Advisory Committee.''.

SEC. 8. IMPLEMENTATION PLAN AND REPORT TO CONGRESS.

  (a) Implementation Plan.--Not later than 120 days after the date of 
the enactment of this Act, the Secretary of Homeland Security shall 
develop, and submit to Congress, an implementation plan outlining how 
the Secretary plans to--
          (1) aggregate, anonymize, and analyze data collected from 
        covered chemical facilities or chemical facilities of interest 
        to identify practices that such facilities have employed to 
        successfully reduce or remove terrorism-related chemical 
        security risks;
          (2) develop voluntary, publicly available, practices based on 
        such data, which may be updated as necessary, to guide facility 
        owners and operators in preventing, reducing, and managing 
        security risks; and
          (3) disseminate such practices to chemical facility owners 
        and operators through an appropriate medium or system, 
        including by making such practices available to the public to 
        the greatest extent practicable.
  (b) Report.--
          (1) Initial report.--Not later than two years after the date 
        of the enactment of this Act, the Secretary shall submit to 
        Congress a report on the status of implementation plan required 
        under subsection (a), a description of the voluntary, publicly 
        available, practices identified, and the system or medium used 
        to disseminate such practices to chemical facility owners and 
        operators.
          (2) Annual updates.--Not later than one year after the 
        submission of the report required under paragraph (1), and 
        annually thereafter, the Secretary shall submit to Congress 
        information on changes to the voluntary practices information 
        disseminated and bases for such changes, information on 
        feedback collected from facility owners and operators regarding 
        the extent to which voluntary practices were adopted, and 
        information on what impact the dissemination of voluntary 
        practices have had on the effectiveness of the program.

SEC. 9. STUDY ON RISKS POSED BY EXCLUDED FACILITIES.

  (a) Study Required.--The Secretary of Homeland Security shall enter 
into an agreement with a non-Department of Homeland Security entity for 
the conduct of an independent assessment of--
          (1) the implications for national security and homeland 
        security of exempting from regulation under title XXI of the 
        Homeland Security Act of 2002 (6 U.S.C. 621 et seq.) excluded 
        facilities, as such term is defined in section 2101(4) of such 
        Act.;
          (2) the implications for such excluded facilities of 
        exempting such facilities from regulation; and
          (3) the implications of exempting such facilities from 
        regulation for the communities located in the same geographic 
        areas as such facilities.
  (b) Report to Congress.--Not later than 16 months after entering into 
an agreement under subsection (a), the Secretary of Homeland Security 
shall submit to the appropriate congressional committees a report that 
includes the findings and recommendations of the independent assessment 
required by subsection (a).
  (c) Appropriate Congressional Committees.--In this section, the term 
``appropriate congressional committees'' means--
          (1) the Committee on Homeland Security and Governmental 
        Affairs of the Senate; and
          (2) the Committee on Homeland Security and the Committee on 
        Energy and Commerce of the House of Representatives.

SEC. 10. STUDY ON FEASIBILITY OF WAIVER PROGRAM.

  (a) Study Required.--The Secretary of Homeland Security shall conduct 
a study to assess the feasibility and desirability of establishing a 
process under which certain chemical facilities, as determined by the 
Secretary, may apply to for a waiver of certain regulatory requirements 
under title XXI of the Homeland Security Act of 2002 (6 U.S.C. 621 et 
seq.) upon showing that--
          (1) the requirements under such title are covered, to the 
        same extent and in the same manner, under another Federal 
        regulatory program;
          (2) the facility is in full and complete compliance with such 
        other Federal regulatory program, as shown through timely 
        scheduled inspections, audits, and other supporting evidence; 
        and
          (3) the facility has not, during the five-year period 
        preceding the date on which a waiver is requested, been subject 
        to an enforcement action brought by the Federal regulator 
        overseeing such regulatory program or been found to be 
        noncompliant with any aspect of such regulatory program.
  (b) Report to Congress.--Not later than two years after the date of 
the enactment of this Act, the Secretary of Homeland Security shall 
submit to the appropriate congressional committees a report that 
includes detailed findings regarding the establishment of the process 
described in subsection (a) and, if appropriate, recommendations for 
implementation.
  (c) Appropriate Congressional Committees.--In this section, the term 
``appropriate congressional committees'' means--
          (1) the Committee on Homeland Security and Governmental 
        Affairs of the Senate; and
          (2) the Committee on Homeland Security and the Committee on 
        Energy and Commerce of the House of Representatives.

SEC. 11. REVIEW OF TIERING METHODOLOGY.

  (a) Review Required.--The Director of the Cybersecurity and 
Infrastructure Security Agency shall--
          (1) conduct a review of the risk assessment approach and 
        corresponding tiering methodology for covered chemical 
        facilities required pursuant to section 2102(e)(2) of the 
        Homeland Security Act of 2002, as amended by this Act, and 
        assess the extent to which the approach and tiering methodology 
        takes into account--
                  (A) the nature of the area surrounding the chemical 
                facility, the presence of nearby facilities or other 
                critical infrastructure, and other features of the 
                community that could contribute to the consequences of 
                a terrorist attack or exploitation of chemicals of 
                interest;
                  (B) the potential effects on the health and economic 
                conditions of communities disproportionately vulnerable 
                to the consequences of a terrorist attack or 
                exploitation of chemicals of interest; and
                  (C) the vulnerabilities of chemical facilities to 
                cybersecurity threats, including the vulnerabilities of 
                facilities' information technology and operational 
                technology and the implications on the potential for 
                penetration of both the physical security and 
                cybersecurity of facilities; and
          (2) based on the review under paragraph (1), develop a plan 
        to ensure that when the tiering methodology is next updated, 
        the nature of the surrounding area, the presence of nearby 
        facilities or other critical infrastructure, and other features 
        of the community that could contribute to the consequences of a 
        terrorist attack or exploitation of chemicals of interest and 
        impacts on communities disproportionately vulnerable to the 
        consequences of a terrorist attack or exploitation of chemicals 
        of interest are considered.
  (b) Report to Congress.--
          (1) Report on review.--Not later than two years after the 
        date of the enactment of this Act, the Director shall submit to 
        the appropriate congressional committees a report on the 
        tiering methodology review required under subsection (a).
          (2) Submittal of plan.-- Not later than one year after 
        submitting the report under paragraph (1), the Director shall 
        submit to the appropriate congressional committees the tiering 
        methodology plan required under subsection (a)(2).
          (3) Appropriate congressional committees.--In this section, 
        the term ``appropriate congressional committees'' means--
                  (A) the Committee on Homeland Security and 
                Governmental Affairs of the Senate; and
                  (B) the Committee on Homeland Security and the 
                Committee on Energy and Commerce of the House of 
                Representatives.

SEC. 12. COMPTROLLER GENERAL REPORTS.

  (a) Evaluation of Effectiveness of Risk-based Performance 
Standards.--
          (1) Study and report.--Not later than 18 months after the 
        date of the enactment of this Act, the Comptroller General of 
        the United States shall conduct a study and submit to the 
        appropriate congressional committees a report on the 
        effectiveness of the risk-based performance standards used by 
        the Department of Homeland Security under title XXI of the 
        Homeland Security Act of 2002 (6 U.S.C. 621 et seq.) in 
        protecting businesses, employees, the economy, the public, and 
        national security against existing and evolving threats of 
        concern.
          (2) Contents of report.--The report required by paragraph (1) 
        shall address--
                  (A) the sufficiency of security risk determinations 
                and countermeasures under title XXI of the Homeland 
                Security Act of 2002 (6 U.S.C. 621 et seq.); and
                  (B) the need for revised or additional methods to 
                address evolving security risks.
  (b) Evaluation of Information Management.--Not later than one year 
after the date of the enactment of this Act, the Comptroller General of 
the United States shall conduct a study and submit to the appropriate 
congressional committees a report on--
          (1) how the Secretary of Homeland Security documents, 
        maintains, and uses information on tiering changes pursuant to 
        section 2102(e)(3) of the Homeland Security Act of 2002 (6 
        U.S.C. 622(e)(3)); and
          (2) how management, maintenance, utility, and use of the 
        information could be improved to better identify and 
        disseminate practices to reduce chemical security risks.
  (c) Evaluation of Practices to Reduce Chemical Security Risks.--Not 
later than three years after the date of the enactment of this Act, the 
Comptroller General of the United States shall submit to the 
appropriate congressional committees a report on the effectiveness of 
the development and distribution by the Secretary of Homeland Security 
of practices to address chemical security risks and of any actions 
taken or results produced in response to such practices.
  (d) Appropriate Congressional Committees.--In this section, the term 
``appropriate congressional committees'' means--
          (1) the Committee on Homeland Security and Governmental 
        Affairs of the Senate; and
          (2) the Committee on Homeland Security and the Committee on 
        Energy and Commerce of the House of Representatives.

SEC. 13. VOLUNTARY MECHANISM FOR REPORTING DRONES AND OTHER EMERGING 
                    THREATS.

  (a) In General.--Not later than 120 days after the date of the 
enactment of this Act, the Secretary of Homeland Security, acting 
through the Director of the Cybersecurity and Infrastructure Security 
Agency, shall provide a secure communications and information 
technology infrastructure or platform that allows owners and operators 
of covered chemical facilities to report, on a voluntary basis, 
information on emerging threats, including terrorism threats posed by 
unmanned aircraft systems (as defined in section 331(9) of the FAA 
Modernization and Reform Act of 2012 (Public Law 112-95; 49 U.S.C. 
40101 note) to covered chemical facilities.
  (b) Platform Capabilities.--The Secretary shall ensure that the 
secure communications and information technology infrastructure or 
platform established pursuant to subsection (a) is designed to support 
data mining and other advanced analytic tools to access, receive, and 
analyze data and information to facilitate the reporting of the 
information described in subsection (a).

SEC. 14. REGULATIONS REGARDING SPECIFIC PRODUCTS AND MIXTURES 
                    CONTAINING CHEMICALS OF INTEREST.

  Not later than one year after the date of the enactment of this Act, 
the Secretary of Homeland Security shall prescribe regulations to enact 
a process through which the Secretary can be petitioned to exclude a 
product or mixture under subsection (f) of section 2102 of the Homeland 
Security Act, as added by section 3. In collecting information from 
petitioners under such subsection, the Secretary shall not be subject 
to subchapter I of chapter 35 of title 44, United States Code, or 
section 553 of title 5, United States Code.

SEC. 15. VOLUNTARY PROGRAM.

  (a) In General.--The Director of Cybersecurity and Infrastructure 
Security of the Department of Homeland Security may develop a voluntary 
program for chemical facilities to address potential security risks at 
such facilities.
  (b) Congressional Notification.--Not less than 15 days prior to 
commencing a voluntary program pursuant to subsection (a), the Director 
shall provide notification to the Committee on Homeland Security and 
the Committee on Energy and Commerce of the House of Representatives 
and the Committee on Homeland Security and Governmental Affairs of the 
Senate.

SEC. 16. STUDY ON LOCAL EMERGENCY RESPONSE CAPACITY TO RESPOND TO 
                    CHEMICAL SECURITY INCIDENTS.

  (a) Study Required.--The Secretary of Homeland Security, acting 
through the Under Secretary for Science and Technology, shall conduct a 
study on how to improve training and support for local emergency 
response providers in areas with high concentrations of covered 
chemical facilities in how to respond to a terrorist attack on a 
chemical facility.
  (b) Features.--In carrying out the study required under subsection 
(a), the Secretary shall consider, as appropriate--
          (1) the degree to which jurisdictions with high 
        concentrations of covered chemical facilities have fire, 
        police, medical, and other response personnel trained and 
        equipped to respond to a terrorist attack on a chemical 
        facility and have--
                  (A) evacuation and shelter in place protocols 
                tailored to the unique needs of the jurisdiction and 
                the chemical properties of chemicals of interest that 
                would be involved in the attack and that take into 
                consideration vulnerable populations, including 
                schools, child care centers, nursing facilities, and 
                hospitals;
                  (B) community notification and warning systems; and
                  (C) surge capacities of hospitals and other health 
                care facilities in the area; and
          (2) what, if any, distinctions are there in preparedness for 
        a terrorist attack on a chemical facility in jurisdictions that 
        rely on volunteers to carry out fire, police, medical and other 
        response and jurisdictions that do not rely, in whole or in 
        part, on volunteers; and
          (3) all training, equipment, and support provided by the 
        Department of Homeland Security to local emergency response 
        providers in areas with a high concentration of covered 
        chemical facilities and chemical facilities of interest.
  (c) Survey.--In carrying out the study required under subsection (a), 
the Secretary may partner with a non-Departmental entity for the survey 
of a representative sample of emergency response providers in areas 
with a high concentration of covered chemical facilities, chemical 
facilities of interest, or other facilities with large quantities of 
chemicals.
  (d) Report.--No later than two years from the date on which the 
Secretary commences the study required under subsection (a), the 
Secretary shall submit to Congress the study, accompanied by plans, as 
appropriate, to--
          (1) improve the Department's counter-terrorism preparedness 
        and response planning, training, and equipment efforts to 
        ensure that they are better tailored and resourced to address 
        the unique needs of local emergency response providers in areas 
        with a high concentration of covered chemical facilities and 
        chemical facilities of interest; and
          (2) improve coordination among Federal, State, local, tribal, 
        and territorial government officials in emergency planning and 
        response in areas with high concentrations of covered chemical 
        facilities, chemical facilities of interest, or other 
        facilities with large quantities of hazardous chemicals.
  (e) Public Availability.--The report required under this section 
shall be made publicly available, but may include a classified annex.

SEC. 17. PREVIOUSLY APPROVED FACILITIES.

  In the case of a chemical facility that is a covered chemical 
facility under title XXI of the Homeland Security Act of 2002 for which 
the Secretary of Homeland Security approved a site security plan under 
such title before the date of enactment of this Act, the Secretary 
shall not require the facility to resubmit the site security plan 
solely by reason of the enactment of this Act or the amendments made by 
this Act.

SEC. 18. TERMINATION.

  Section 5 of the Protecting and Securing Chemical Facilities From 
Terrorist Attacks Act of 2014 (Public Law 113-254; 6 U.S.C. 621 note) 
is amended by striking ``the date that is 5 years and 3 months after 
the effective date of this Act'' and inserting ``May 1, 2025''.

                          Purpose and Summary

    H.R. 3256, the ``Protecting and Securing Chemical 
Facilities from Terrorist Attacks Act of 2019,'' reauthorizes 
the Department of Homeland Security (DHS)'s chemical security 
program, the Chemical Facility Anti-Terrorism Standards (CFATS) 
program for five years and, among other things, improves 
information sharing between high risk chemical facilities and 
emergency responders, fosters a culture of security within 
high-risk chemical facilities, and provides facility operators 
with information on practices that could be employed to reduce 
terrorism risk at their facilities.

                  Background and Need for Legislation

    The CFATS program was established through the FY 2007 
Department of Homeland Security (DHS) Appropriations Act in 
response to credible terrorist threats to U.S. chemical plants 
in 2006.\1\ For eight years, the continuation of this anti-
terrorism security program was dependent on the enactment of 
annual extensions attached to annual appropriations measures. 
Then, in December 2014, Congress enacted the Protecting and 
Securing Chemical Facilities from Terrorist Attacks Act of 2014 
(CFATS Act of 2014), which provided the CFATS program with a 
four-year authorization.\2\
---------------------------------------------------------------------------
    \1\Sec. 550, P.L. 109-295.
    \2\P.L. 113-254.
---------------------------------------------------------------------------
    The CFATS Act of 2014 requires facilities with threshold 
quantities of ``chemicals of interest''\3\ to submit 
information regarding the facility's chemical holdings to DHS, 
in the form of a ``Top Screen''.\4\ Facilities are assigned to 
1 of 4 risk tiers, with 1 being the highest. If DHS determines 
that a facility ``presents a high level of security risk,'' 
that facility must perform a vulnerability assessment and 
develop a site security plan (SSP) to address vulnerabilities 
in alignment with 18 risk-based performance standards. Of the 
41,000 facilities that have submitted Top Screens, DHS 
currently considers 3,329 to present a high level of security 
risk.\5\ The majority of facilities are in the lower-risk tiers 
(Tiers 3 and 4), with just 5% of facilities in Tier 1 and 2% in 
Tier 2.\6\
---------------------------------------------------------------------------
    \3\6 C.F.R. Part 27 Appendix A.
    \4\Sec. 2102, Homeland Security Act of 2002 (P.L. 107-296), as 
amended by P.L. 113-524 (6 U.S.C. 621 et seq.).
    \5\DHS CISA, CFATS Monthly Statistics (accessed Feb. 18, 2019), 
https://www.dhs.gov/cfats-monthly-statistics.
    \6\DHS CISA Slide Deck, CFATS Program Overview February 2019 (on 
file with Committee staff).
---------------------------------------------------------------------------
    Earlier this Congress, the Department's authority to carry 
out the CFATS program almost lapsed, and termination was 
narrowly avoided with the enactment of the Chemical Facility 
Anti-Terrorism Standards Program Extension Act.\7\ The CFATS 
program would have terminated on January 18, 2019 but is now 
authorized through April 2020. Upon enactment of the Chemical 
Facility Anti-Terrorism Standards Program Extension Act, the 
Committee immediately began developing legislation to not only 
provide a long-term authorization but also make improvements to 
the program in response to the Committee's oversight findings.
---------------------------------------------------------------------------
    \7\P.L. 116-2.
---------------------------------------------------------------------------
    Over the past six months, the Committee has worked 
diligently to develop this long-term reauthorization measure. 
To inform the legislation, the Committee held two hearings on 
the CFATS program, one with government witnesses on February 27 
at the Full Committee and one with non-government stakeholders 
within the Subcommittee on Cybersecurity, Infrastructure 
Protection, and Innovation on March 12. Additionally, 
throughout the process, the Committee consulted with DHS, a 
coalition of industry stakeholders--comprised of over a dozen 
associations and companies representing hundreds of regulated 
facilities--as well as labor unions, environmental groups, and 
community advocacy associations.

                                Hearings

    For the purposes of section 103(i) of H. Res. 6 of the 
116th Congress, the following hearings were used to develop 
H.R. 3256:
           On February 27, 2019, the Committee held a 
        hearing entitled ``Securing Our Nation's Chemical 
        Facilities: Building on the Progress of the CFATS 
        Program.'' The Committee received testimony from David 
        Wulf, Director, Infrastructure Security Compliance 
        Division, Cybersecurity and Infrastructure Security 
        Agency, U.S. Department of Homeland Security; and 
        Nathan Anderson, Acting Director, Homeland Security & 
        Justice, U.S. Government Accountability Office.
           On March 12, 2019, the Committee held a 
        hearing entitled ``Securing Our Nation's Chemical 
        Facilities: Stakeholders Perspectives on Improving the 
        CFATS Program.'' The Committee received testimony from 
        John Morawetz, Health and Safety Representative, 
        International Chemical Workers Union Council; Dr. Mike 
        Wilson, National Director, Occupational and 
        Environmental Health Program, Blue Green Alliance; Ms. 
        Pamela Nixon. President, People Concerned About 
        Chemical Safety; and Kirsten Meskill, Director, 
        Corporate Security, BAS.

                        Committee Consideration

    The Committee met on June 19, 2019, with a quorum being 
present, to consider H.R. 3256 and ordered the measure to be 
reported to the House with a favorable recommendation, without 
amendment, by a recorded vote of 14 yeas and 12 nays.
    An amendment in the nature of a substitute offered by Mr. 
Richmond was agreed to by voice vote.

                            Committee Votes

    Clause 3(b) of rule XIII of the Rules of the House of 
Representatives requires the Committee to list the recorded 
votes on the motion to report legislation and amendments 
thereto.
    The Committee on Homeland Security considered H.R. 3256 on 
June 19, 2019 and took the following vote:
    Ordering to be reported to the House with a favorable 
recommendation; was Agreed TO, by a recorded vote of 14 yeas 
and 12 nays (Roll Call Vote No. 3).

                               Roll No. 3


------------------------------------------------------------------------
                   Yeas                                 Nays
------------------------------------------------------------------------
Mr. Thompson of Mississippi...............  Mr. Rogers of Alabama
Mr. Richmond..............................  Mr. King of New York
Mr. Payne.................................  Mr. McCaul
Miss Rice.................................  Mr. Katko
Mr. Correa................................  Mr. Ratcliffe
Ms. Torres Small of New Mexico............  Mr. Walker
Mr. Rose of New York......................  Mr. Higgins of Louisiana
Ms. Underwood.............................  Mrs. Lesko
Ms. Slotkin...............................  Mr. Green of Tennessee
Ms. Clarke of New York....................  Mr. Taylor
Ms. Titus.................................  Mr. Crenshaw
Mrs. Watson Coleman.......................  Mr. Guest
Ms. Barragan..............................
Mrs. Demings..............................
    Total    14                                 12
------------------------------------------------------------------------

                      Committee Oversight Findings

    In compliance with clause 3(c)(1) of rule XIII of the Rules 
of the House of Representatives, the Committee advises that the 
findings and recommendations of the Committee, based on 
oversight activities under clause 2(b)(1) of rule X of the 
Rules of the House of Representatives, are incorporated in the 
descriptive portions of this report.

Congressional Budget Office Estimate, New Budget Authority, Entitlement 
                    Authority, and Tax Expenditures

    With respect to the requirements of clause 3(c)(2) of rule 
XIII of the Rules of the House of Representatives and section 
308(a) of the Congressional Budget Act of 1974 and with respect 
to requirements of clause (3)(c)(3) of rule XIII of the Rules 
of the House of Representatives and section 402 of the 
Congressional Budget Act of 1974, the Committee adopts as its 
own the estimate of the estimate of new budget authority, 
entitlement authority, or tax expenditures or revenues 
contained in the cost estimate prepared by the Director of the 
Congressional Budget Office.

                                     U.S. Congress,
                               Congressional Budget Office,
                                 Washington, DC, September 9, 2019.
Hon. Bennie G. Thompson,
Chairman, Committee on Homeland Security,
House of Representatives, Washington, DC.
    Dear Mr. Chairman: The Congressional Budget Office has 
prepared the enclosed cost estimate for H.R. 3256, the 
Protecting and Securing Chemical Facilities from Terrorist 
Attacks Act of 2019.
    If you wish further details on this estimate, we will be 
pleased to provide them. The CBO staff contact is William Ma.
            Sincerely,
                                         Phillip L. Swagel,
                                                          Director.
    Enclosure.

    
    

    H.R. 3256 would extend the Chemical Facility Anti-Terrorism 
Standards (CFATS) program through May 1, 2025, and make several 
other changes to the program; the authority to carry out the 
current program will expire in April 2020. In total, CBO 
estimates that enacting H.R. 3256 would cost $372 million over 
the 2020-2024 period; such spending would be subject to the 
appropriation of the estimated amounts (see Table 1). Another 
$77 million would be spent after 2024 to pay for the costs of 
the program until its expiration. In addition, the bill would 
increase revenues by less than $500,000 over the 2020-2029 
period, CBO estimates.
    Under CFATS, the Department of Homeland Security (DHS) 
regulates security at facilities that manufacture, store, or 
distribute any of more than 300 chemicals that could be used by 
terrorists to cause mass injury or death. The regulations set 
minimum standards for perimeter security, access control, 
personnel security, and cybersecurity to reduce the risk that 
those chemicals could be stolen, released, or sabotaged. DHS 
provides technical assistance and inspects regulated facilities 
to ensure that they meet those standards. For 2019, the 
Congress appropriated $74 million for the CFATS program.
    On the basis of amounts appropriated for the CFATS program, 
CBO estimates that extending the program through May 1, 2025, 
under current law would cost $344 million over the 2020-2024 
period. Because the extension in the bill would only cover five 
months of fiscal year 2020, the costs of implementing the 
extension are lower in that year.
    In addition, H.R. 3256 would change the CFATS program in 
several ways. Specifically, the bill would require DHS to do 
the following:
           Allow owners and operators of regulated 
        facilities to petition DHS to exempt from the standards 
        some products and mixtures containing chemicals that 
        are regulated under CFATS;
           Expedite the process through which DHS 
        notifies owners and operators of security deficiencies;
           Establish procedures to investigate 
        complaints from employees of regulated facilities who 
        claim to have been punished for reporting information 
        to DHS; and,
           Establish an advisory committee on chemical 
        security.
    On the basis of information from DHS, CBO estimates that 
implementing those changes would require DHS to hire about a 
dozen new full-time employees. Salaries for those employees and 
operating expenses to carry out the new requirements would cost 
$23 million over the 2020-2024 period.
    In total, reauthorizing the CFATS program would cost $367 
million over the 2020-2024 period, CBO estimates.

               TABLE 1.--ESTIMATED INCREASES IN SPENDING SUBJECT TO APPROPRIATION UNDER H.R. 3256
----------------------------------------------------------------------------------------------------------------
                                                                 By fiscal year, millions of dollars--
                                                      ----------------------------------------------------------
                                                        2019    2020    2021    2022    2023    2024   2019-2024
----------------------------------------------------------------------------------------------------------------
                                 Increases in Spending Subject to Appropriation
 
CFATS Program Reauthorization:
    Estimated Authorization Level....................       0      40      84      86      89      92        391
    Estimated Outlays................................       0      31      74      84      88      90        367
Studies and Reports:
    Estimated Authorization Level....................       0       5       *       *       *       *          5
    Estimated Outlays................................       0       4       1       *       *       *          5
    Total:
        Estimated Authorization Level................       0      45      84      86      89      92        396
        Estimated Outlays............................       0      35      75      84      88      90        372
----------------------------------------------------------------------------------------------------------------
In addition to the amounts shown here, implementing H.R. 3256 would require an additional appropriation of $55
  million in 2025 to fund the operation of the program until May of that year, CBO estimates. Outlays from those
  amounts, in addition to outlays from amounts authorized from earlier years would total $77 million over the
  2025-2029 period; that spending would be subject to appropriation of the estimated amounts.
Enacting H.R. 3256 also would increase revenues by an insignificant amount over the 2020-2029 period.
CFATS = Chemical Facility Anti-Terrorism Standards; * = between zero and $500,000.

    H.R. 3256, also would require the Government Accountability 
Office and DHS to conduct several studies on the CFATS program 
and to report their findings to the Congress. CBO estimates 
that in addition to the costs described above, conducting the 
studies and preparing the reports would cost $5 million over 
the 2020-2024 period.
    Reauthorizing the CFATS program also would extend DHS's 
authority to levy civil penalties against owners or operators 
of facilities that fail to comply with orders to correct 
deficiencies in their security plans. Amounts collected under 
that authority would be deposited in the Treasury and recorded 
as revenues. CBO estimates that DHS would collect less than 
$500,000 over the 2020-2029 period.
    H.R. 3256 would impose intergovernmental and private-sector 
mandates as defined in the Unfunded Mandates Reform Act (UMRA) 
on operators of chemical facilities. CBO estimates that the 
total cost of the mandates would fall below the annual 
intergovernmental and private-sector thresholds established in 
UMRA ($82 million and $164 million, respectively in 2019, 
adjusted annually for inflation).
    The bill would reauthorize existing security requirements, 
including vulnerability assessments and site security plans, 
under the Chemical Facility Anti-Terrorism Standards Program.
    The bill also would require chemical facilities to:
           Retain a record of employee feedback, which 
        is to be collected as part of the facilities' 
        vulnerability assessment and site security plan 
        process;
           Display a DHS-issued poster; and
           Make employees that participated in 
        developing the site's vulnerability assessment and 
        security plan available to DHS, upon request.
    Finally, the bill would extend whistleblower protections to 
include former employees of a chemical facility. Current law 
prohibits employers from taking adverse actions against 
current, but not former, employees.
    The incremental costs to comply with the mandates would be 
small because the facilities are either already complying with 
similar requirements under current law or because the 
additional requirements do not impose a significant 
administrative burden.
    The CBO staff contacts for this estimate are William Ma 
(for federal costs) and Brandon Lever (for mandates). The 
estimate was reviewed by Leo Lex, Deputy Assistant Director for 
Budget Analysis.

                       Federal Mandates Statement

    The Committee adopts as its own the estimate of Federal 
mandates prepared by the Director of the Congressional Budget 
Office pursuant to section 423 of the Unfunded Mandates Reform 
Act.

                      Duplicative Federal Programs

    Pursuant to clause 3(c) of rule XIII, the Committee finds 
that H.R. 3256 does not contain any provision that establishes 
or reauthorizes a program known to be duplicative of another 
Federal program.

                    Performance Goals and Objectives

    Pursuant to clause 3(c)(4) of rule XIII of the Rules of the 
House of Representatives, the objectives of H.R. 3256 include 
extending the authorization for the CFATS program for a period 
of 5 years until May 1, 2025. Additionally, it would make a 
number of improvements to the program including by requiring 
DHS to ensure the sharing of emergency response plans with 
emergency responders, enhance worker participation in the 
development of facilities' site security plans, clarify 
whistleblower protections against retaliation against workers 
who report security vulnerabilities or non-compliance with site 
security plans, and direct DHS to identify and disseminate 
information on practices that a facility could adopt to reduce 
or remove chemical security risks.

                          Advisory on Earmarks

    In compliance with rule XXI of the Rules of the House of 
Representatives, this bill, as reported, contains no 
congressional earmarks, limited tax benefits, or limited tariff 
benefits as defined in clause 9(d), 9(e), or 9(f) of the rule 
XXI.

             Section-by-Section Analysis of the Legislation


Section 1. Short title; table of contents

    This section provides that this bill may be cited as the 
``Protecting and Securing Chemical Facilities from Terrorist 
Attacks Act of 2019'' and sets forth the table of contents for 
this Act.

Sec. 2. Definitions

    This section modifies definitions in section 2101 of the 
Homeland Security Act of 2002 (6 U.S.C. 621).

Sec. 3. Chemical Facility Anti-Terrorism Standards program

Employee input

    This section requires the Secretary of Homeland Security 
(Secretary), in carrying out the CFATS program, to verify 
information submitted by a facility before assigning it to a 
lower risk tier or determining that a facility no longer 
presents a high level of security risk. The Committee included 
this provision to ensure that before DHS determines that a 
facility should no longer be regulated for security or should 
be regulated at a less rigorous level, it verifies the change 
of chemical holdings or circumstances presented by the facility 
owner or operator. This section is based on a 2015 report by 
the Government Accountability Office (GAO) which found that DHS 
was not uniformly verifying facility-reported data in assigning 
risk tiers.\8\
---------------------------------------------------------------------------
    \8\U.S. Government Accountability Office, Critical Infrastructure 
Protection: DHS Action Needed to Verify Some Chemical Facility 
Information and Manage Compliance Process, GAO-15-614 (July 22, 2015).
---------------------------------------------------------------------------
    Additionally, this section clarifies a provision from the 
CFATS Act of 2014 to ensure that employees are consulted in the 
development of a facility's vulnerability assessment and site 
security plans. It amends existing statutory language that 
directs facilities to consult with employees in addition to a 
facility security officer or other official primarily 
responsible for site security who have relevant knowledge, 
experience, training, or education pertaining to matters of 
site security. Further, where employees are represented by a 
union, facilities are to consult with a representative, 
selected by the bargaining agent, with the same qualifications. 
Importantly, it requires facilities to maintain a record of 
such employee consultation, including how often it took place 
and what became of any employee recommendations, and to provide 
such information to DHS, in addition to granting CFATS 
inspectors access to such employees for purposes of carrying 
out audits and inspections. This section is based on 
stakeholder testimony provided to the Committee on March 12, 
2019, asserting that the current law, which merely encourages 
consultation with knowledgeable employees and labor 
representatives, is ``too generic to be effective'' and often 
results in facilities ``checking the box'' by asking employees 
to sign off on plans that have already been completed, if 
engagement occurs at all.\9\
---------------------------------------------------------------------------
    \9\Id.
---------------------------------------------------------------------------
    Finally, to improve security awareness within facilities, 
the section requires the Secretary to produce an employee 
awareness poster that informs employees about CFATS 
requirements and whistleblower protections that is to be 
displayed in areas accessible to the workforce. This section is 
intended to address concerns that employees are not empowered 
to participate in site security or report CFATS violations 
because they may not even be aware of the program or whether 
their facility is covered. Moreover, the Committee intends for 
this poster to be available to all facilities with chemicals of 
interest, not only those that have been designated as high 
risk, to preserve anonymity regarding which facilities are 
determined to be high-risk. The Committee believes that DHS, by 
doing more to oversee employee consultation and raise employee 
awareness about CFATS requirements, can help foster a culture 
of security within high risk chemical facilities.

Department of Homeland Security oversight

    The section requires the Secretary to disapprove a site 
security plan that does not satisfy the risk-based performance 
standards and fails to include the name, organizational 
affiliation, and phone number of a local emergency manager or 
local emergency response provider and a documented policy to 
contact the local emergency manager or local emergency response 
provider at least annually regarding emergency response plans 
at the facility. In 2018, GAO issued a report finding that DHS 
shares some information, but first responders and emergency 
planners do not have all the information they need to minimize 
the risk of injury or death when responding to incidents at 
high risk facilities.\10\ The Committee included this provision 
to ensure that facility owners and operators build 
communication with local emergency officials into the 
foundation of how a facility operates under the program.
---------------------------------------------------------------------------
    \10\U.S. Government Accountability Office, Critical Infrastructure 
Protection: DHS Should Take Actions to Measure Reduction in Chemical 
Facility Vulnerability and Share Information with First Responders, 
GAO-18-538 (August 8, 2018), https://www.gao.gov/assets/700/693817.pdf.
---------------------------------------------------------------------------
    The section also requires the Secretary to confirm that 
employee consultation has been carried out and recordkeeping of 
such consultation is maintained, in accordance with this 
section, prior to approving or disapproving a site security 
plan.
    Additionally, the section requires the Secretary, before 
issuing a re-determination that would lower a facility's risk 
tier or determine that the facility no longer presents a high 
level of security risk, to confirm the information provided by 
the facility owner or operator that was the basis for the 
determination and collect information on the actions taken or 
practices employed by the facility to reduce or remove 
terrorism-related chemical security risks, where applicable.

Elimination of the Expedited Approval Plan

    This section terminates the Expedited Approval Plan 
authorized under the CFATS Act of 2014. This program allows 
facilities in Tiers 3 and 4 to use an expedited process that 
allows them to self-certify compliance with a more prescriptive 
set of risk-based security guidelines issued by the Secretary. 
As of June 2018, of the 3,152 facilities eligible to use EAP, 
only 18 facilities opted to use it while all other facilities 
chose to access a process where they engage with DHS CFATS 
inspectors as they are developing and implementing site 
security plans.\11\
---------------------------------------------------------------------------
    \11\U.S. Government Accountability Office, Critical Infrastructure 
Protection: Progress and Challenges in DHS's Management of Its Chemical 
Facility Security Program, GAO-18-613T (June 14, 2018), https://
www.gao.gov/assets/700/692483.pdf.
---------------------------------------------------------------------------

Audits and inspections

    This section clarifies that DHS has the authority to carry 
out audits and inspections of covered chemical facilities and 
chemical facilities of interest and that inspectors should 
receive continuing education and other professional development 
tools necessary to carry out their duties. Additionally, it 
requires DHS to establish which credential or certification is 
necessary to conduct inspections related to cybersecurity, in 
alignment with Risk Based Performance Standard 8.\12\
---------------------------------------------------------------------------
    \12\U.S. Department of Homeland Security, Risk-Based Performance 
Standards Guidance (May 2009).
---------------------------------------------------------------------------
    Importantly, to ensure that information is shared with 
local emergency officials, it requires DHS to annually confirm 
compliance with the documented policy submitted with a 
facility's SSP, to contact the local emergency manager or local 
emergency response provider at least annually regarding 
emergency response plans at the facility. The Committee 
believes that oversight of whether facilities are communicating 
with emergency response officials is necessary, based on the 
findings of the 2018 GAO report describing inadequate sharing 
of information between DHS, facilities, and emergency response 
providers.\13\ The CFATS Act of 2014 contained provisions 
requiring DHS to share information through a secure and 
expeditious system so that first responders had sufficient 
situational awareness to respond to an incident at a high risk 
chemical facility. These provisions were based in part on the 
April 2013 explosion at the West Fertilizer Company in West, 
Texas, which killed more than a dozen first responders and 
leveled neighboring buildings. The U.S. Chemical Safety Board 
found that DHS had no knowledge of the West Fertilizer 
facility, even though it had reported threshold quantities of 
CFATS chemicals to other federal and state regulators, and that 
fewer first responders might have died had information 
regarding the facility's chemical holdings been shared.\14\ 
Through its oversight, the Committee has been troubled to learn 
that information sharing regarding the types of chemicals 
stored on site and its implications for response has not 
improved significantly since the West, Texas explosion. The 
Committee expects DHS to prioritize improving information 
sharing between local emergency officials and owners and 
operators of covered chemical facilities.
---------------------------------------------------------------------------
    \13\GAO-18-538.
    \14\U.S. Chemical Safety and Hazard Investigation Board, West 
Fertilizer Company Fire and Explosion: 15 Fatalities, More Than 260 
Injured, Investigation Report (Final), (Jan. 2016).
---------------------------------------------------------------------------

Risk assessments

    This section clarifies that the risk tiering methodology 
should consider risks posed by terrorist and other malicious 
actors and the consequences, in the event of a facility being 
subject to attack, compromise, infiltration, or the 
exploitation of chemicals of interest in its methodology.

Sharing information with emergency response providers

    In addition to the new requirements placed on facility 
owners and operators to have documented policies for 
communicating with emergency response officials and the new 
oversight requirements placed on DHS to ensure that such 
communication occurs, the section modifies the law to require 
the Secretary to make available information determined by the 
Secretary as necessary for response and situational awareness 
to State and local officials, including fusion centers, as 
defined in section 210A(j)(1) of the Homeland Security Act of 
2002.

Practices that may reduce chemical security risks

    This section directs the Secretary to analyze data 
collected from facilities that have successfully modified their 
chemical holdings, processes, or operations to reduce or 
eliminate risk, and use it to develop voluntary, publicly 
available practices that could be used to guide other facility 
owners and operators in preventing, reducing, and mitigating 
chemical security risks. The Committee believes that over the 
past twelve years, the CFATS program has matured and has the 
potential of not only helping facilities manage terrorism risk 
but also reduce their risk. Since 2007, the number of high-risk 
facilities has dropped by half--suggesting that CFATS has been 
a driver in encouraging facilities to reduce or eliminate 
terrorist targets. Further, CFATS facilities have ``achieved on 
average a 55% increase in their security posture as a direct 
result'' of regulation.\15\ Both the Department and expert 
stakeholders agree that ``there is more that [DHS] can do to 
mine those practices,''\16\ and that ``facilities have much to 
learn from each other.''\17\ This provision is intended to 
allow DHS to harness lessons learned through its engagement 
with facilities that tier down or out of the program to help 
make other facilities more secure.
---------------------------------------------------------------------------
    \15\Testimony of David Wulf, Director, Infrastructure Security 
Compliance Div., DHS Cybersecurity and Infrastructure Security Agency, 
before the U.S. House of Representatives Committee on Homeland Security 
hearing entitled Securing Our Nation's Chemical Facilities: Building on 
the Progress of the CFATS Program (Feb. 27, 2019).
    \16\Testimony of David Wulf, Securing Our Nation's Chemical 
Facilities (Feb. 27, 2019).
    \17\Testimony of John Morawetz, Securing Our Nation's Chemical 
Facilities: Stakeholder Perspectives (Mar. 12, 2019).
---------------------------------------------------------------------------

Specific products and mixtures

    This section authorizes the Secretary to exclude a specific 
product or mixture that contains a chemical of interest at or 
above the minimum thresholds established by the Secretary under 
Appendix A to part 27 of title 6, Code of Federal Regulations, 
if the Secretary determines that the product or mixture does 
not present a terrorism risk for which the chemical of interest 
is listed in Appendix A. The Committee understands that this 
authority is important for the Secretary's ability to run the 
CFATS program efficiently and in a manner that does not result 
in the needless regulation of facilities for mixtures or 
products whose chemical composition include chemicals of 
interest but are not exploitable or desirable for terrorist 
misuse. The Committee has heard concerns from some stakeholders 
that the Secretary could, under pressure from industry, exempt 
chemicals or products without fully documenting a rationale or 
giving stakeholders an opportunity to appeal the decision. The 
Committee expects the Secretary to exercise this limited 
authority in a responsible, risk-based manner. Further, the 
Committee expects that the Secretary rely on rigorous 
scientific analysis in making any such determination.

Congressional notification

    The section requires the Secretary to report on the average 
length of time required to (1) review and approve site security 
plans or alternate security programs; (2) ensure a facility has 
achieved full implementation of planned security measures; and 
(3) conduct compliance inspections.
    Additionally, this section requires the Secretary to notify 
Congress any time a facility is not tiered within nine months 
of submitting a Top-Screen. This section is informed by 
concerns from some stakeholders that the Department has, in 
some instances, delayed tiering determinations for months or 
years while trying to discern whether the chemicals or mixtures 
present a security threat. While the Committee encourages DHS 
to carry out tiering determinations in a rigorous manner, 
leaving facility owners and operators in a state of uncertainty 
for years is unacceptable. The Committee believes that the 
Department must prioritize issuing tiering determinations in a 
timely manner so that a facility can know if they are deemed to 
be a high-risk chemical facility and, if they are, they can 
begin to comply with the requirements of the CFATS program.

Sec. 4. Protection and sharing of information

    This section clarifies that ``chemical-terrorism 
vulnerability information'' (CVI), which is protected from 
disclosure, shall be made available, upon request, to (1) State 
and local government officials including law enforcement and 
emergency response providers (regarding facilities within their 
jurisdictions), (2) Members of Congress, (3) Members of the 
Chemical Security Advisory Committee created by this Act (in 
the course of conducting official duties and responsibilities 
as a committee member), and (4) the Comptroller General of the 
United States. It also clarifies that CVI protections shall not 
be construed to prohibit a chemical facility of interest from 
disclosing information that was not created solely for the 
purpose of meeting CFATS requirements. The Committee's 
oversight has identified challenges with the implementation of 
CVI protections that warrant this clarification, including a 
reluctance among some facilities to share information with 
first responders, emergency planners, or facility employees, 
out of concern that doing so will constitute an impermissible 
disclosure of CVI. While there is value in protecting some 
discrete records and documents--such as Site Security Plans or 
Compliance Inspection Reports)--from public release, an overly-
broad interpretation risks chilling information sharing in ways 
that undermine security, rather than promote it. It is the 
Committee's intent that the aforementioned categories of 
individuals shall be presumed to have a `need to know' for 
purposes of accessing CVI. Moreover, information that is 
already publicly available, readily discoverable, or otherwise 
lawfully disclosed should not be viewed as CVI information.

Sec. 5. Civil enforcement

    This section requires the Secretary to issue notices of 
noncompliance within three days, rather than 14 days, and order 
facilities to comply within 30 days, rather than 180 days. It 
authorizes the use of emergency orders for imminent threat of 
death, serious illness, or severe personal injury due to the 
risk of a terrorist or other malicious act. The section also 
makes an exception to the general rule, prohibiting private 
right of action for CFATS violations, for whistleblower 
retaliation.

Sec. 6. Whistleblower protection

    This section clarifies existing whistleblower protections 
established pursuant to the CFATS Act of 2014 by requiring the 
Secretary to keep the identity of a reporting individual 
confidential, absent his or her consent, unless disclosure is 
essential to investigate or because of compulsory legal 
process, in which case the individual must be notified. 
Further, the section clarifies that the Secretary is required 
to respond to an individual asserting a whistleblower claim not 
later than 15 days after receiving the report and provides a 
20-day period for review of actions based on reports under this 
section.
    Importantly, it requires the Secretary to establish a 
procedure for the review and investigation of complaints of 
retaliation against an employee of the facility, or former 
employee. This provision is based on findings from a 2016 GAO 
report which found that DHS did not have a documented process 
or procedures for addressing whistleblower retaliation 
claims.\18\ While the Department has a system in place for 
whistleblowers to report CFATS violations, there is no 
documented policy in place for investigating and resolving a 
claim of prohibited reprisal against a whistleblower, should 
one arise.
---------------------------------------------------------------------------
    \18\U.S. Government Accountability Office, Critical Infrastructure 
Protection: Improvements Needed for DHS' Chemical Facility 
Whistleblower Report Process, GAO-16-572 (July 12, 2016), https://
www.gao.gov/products/GAO-16-572.
---------------------------------------------------------------------------
    Last, it creates an exception to the general rule--that the 
Secretary must complete review of a petition within 30 days or 
the action shall cease to be effective--if the violation 
continues to exist or if such period is insufficient to 
complete the review of the action.

Sec. 7. Chemical Security Advisory Committee

    This section establishes a new Chemical Security Advisory 
Committee to advise the Secretary on CFATS implementation. The 
Committee will be compromised of 12 members selected by the 
Secretary, who represent: industry; academia; labor; emergency 
response providers; local emergency planners; environmental, 
community, or public health advocates, particularly for 
communities with high concentrations of covered chemical 
facilities; and cybersecurity and information policy. Members 
are to select a Chair and each unpaid Member is to serve for an 
initial three-year term and can be re-appointed for an 
additional three years. The Committee may establish 
subcommittees to assess risk tiering, the risk-based 
performance standards, and risk reduction strategies, among 
other things. Committee Members shall maintain information 
protections and Members may access classified information with 
appropriate security clearances. The establishment of an 
Advisory Committee is informed by stakeholder complaints that 
DHS does not have mechanisms to allow for broader, academic, or 
scientific input from subject matter experts in industry and 
other fields.
    For purposes of engaging with DHS on classified and CVI 
program aspects and terrorism threat information, the Committee 
is exempt from the Federal Advisory Committee Act but is 
required to submit an annual report to the Secretary not less 
than January 30 each year. In turn, the Secretary shall provide 
the report, together with any Secretarial feedback on the 
report, to Congress within 45 days of receipt of the report.

Sec. 8. Implementation plan and report to Congress

    This section requires DHS, within 90 days, to develop and 
submit to Congress an implementation plan outlining how the 
Secretary will aggregate, anonymize, and analyze data collected 
from chemical facilities that have successfully reduced or 
removed chemical security risks, and use such data to develop 
voluntary, publicly available, practices based on such data to 
guide facility owners and operators in preventing, reducing, 
and managing security risks. The Committee intends for DHS to 
update these risk reduction practices as necessary, on an 
ongoing basis, as new practices are identified, and disseminate 
such practices to chemical facility owners and operators 
through an appropriate medium or system, including by making 
such practices available to the public to the greatest extent 
practicable.
    This section also requires the Secretary, within one year 
and annually thereafter, to submit to Congress a report on 
implementation, a description of the voluntary, publicly 
available, practices identified, and the system or medium used 
to disseminate such practices.
    Through years of oversight, the Committee has identified an 
opportunity for DHS to use CFATS data more effectively--
specifically the data on how facilities are reducing and 
removing chemical security risks--to inform anonymized, 
generalized practices that could guide other facility owners 
and operators in how they might approach similar risk reduction 
efforts. Since 2007, the number of high-risk facilities has 
dropped by half--suggesting that CFATS has been a driver in 
encouraging facilities to reduce or eliminate terrorist 
targets. Further, CFATS facilities have ``achieved on average a 
55% increase in their security posture as a direct result'' of 
regulation.\19\ Both the Department and expert stakeholders 
agree that ``there is more that [DHS] can do to mine those 
practices,''\20\ and that ``facilities have much to learn from 
each other.''\21\ This provision is intended to allow DHS to 
harness lessons learned through its engagement with facilities 
that tier down or out of the program to help make other 
facilities more secure. The Committee has come to understand 
that the CFATS Program has matured to a point where it can do 
more to improve overall security in the chemical sector through 
the sharing of this information with facility owners and 
operators. The Committee also encourages DHS to find 
opportunities to use these risk reduction practices to inform 
or carry out the voluntary program described in section 15 of 
this Act.
---------------------------------------------------------------------------
    \19\Testimony of David Wulf, Director, Infrastructure Security 
Compliance Div., DHS Cybersecurity and Infrastructure Security Agency, 
before the U.S. House of Representatives Committee on Homeland Security 
hearing entitled Securing Our Nation's Chemical Facilities: Building on 
the Progress of the CFATS Program (Feb. 27, 2019).
    \20\Testimony of David Wulf, Securing Our Nation's Chemical 
Facilities (Feb. 27, 2019).
    \21\Testimony of John Morawetz, Securing Our Nation's Chemical 
Facilities: Stakeholder Perspectives (Mar. 12, 2019).
---------------------------------------------------------------------------

Sec. 9. Study on risks posed by excluded facilities

    This section requires DHS, within 90 days, to enter into an 
agreement with a non-DHS entity to conduct an independent 
assessment of the national security implications of exempting 
excluded facilities, as defined in Sec. 2101, from CFATS, as 
well as the implications for the facilities, communities, and 
geographic areas where such facilities are located. Within 16 
months after entering into the agreement, DHS is required to 
submit a report with findings and recommendations to the Senate 
Homeland Security and Government Affairs Committee, and the 
House Committees on Homeland Security and Energy and Commerce.
    Since the program was established in 2006, thousands of 
facilities across the country have been exempt from this 
homeland security program targeted at helping facilities 
identify and manage their terrorism risk. The exempted 
facilities are those that are: regulated under the Maritime 
Transportation Security Act of 2002; public water systems, as 
defined under the Safe Drinking Water Act; Treatment Works, as 
defined under the Federal Water Pollution Control Act; owned or 
operated by the Department of Defense or the Department of 
Energy; or subject to regulation by the Nuclear Regulatory 
Commission, or by a State that has entered into an agreement 
with the Nuclear Regulatory Commission under the Atomic Energy 
Act of 1954. The Committee notes that it has been thirteen 
years since the exemptions were established. In that time, the 
CFATS program has matured and the terrorism threat picture has 
grown more diverse and complex. As such, the Committee believes 
that an independent security study of the security implications 
posed by maintaining categories of excluded facilities is 
timely.

Sec. 10. Study on feasibility of waiver program

    This section requires the Secretary to study the 
feasibility and desirability of establishing a process under 
which certain chemical facilities, as determined by the 
Secretary, may apply for a waiver of certain CFATS requirements 
upon showing that: (1) the requirements of CFATS are covered, 
to the same extent and in the same manner, under another 
Federal regulatory program; (2) the facility is in full 
compliance with such other program; and (3) the facility has 
not, in the past five years, been subject to an enforcement 
action or otherwise found to be noncompliant with any aspect of 
the program. The Secretary is required to submit the report to 
the Senate Homeland Security and Government Affairs Committee, 
and the House Committees on Homeland Security and Energy and 
Commerce within two years. Through engagement with private 
sector stakeholders, the Committee has repeatedly been told of 
overlapping or duplicative Federal regulatory programs that 
should be harmonized with CFATS, or alternatively, warrant 
certain facilities being exempted from the program entirely. 
The Committee is concerned that the latter could create new 
security gaps, since while some regulatory programs may relate 
to CFATS or govern similar regulated communities, it is not 
clear that the regulatory requirements are exactly parallel or 
similarly concerned with facility security. Moreover, there is 
a great deal of variation among regulators--in terms of 
enforcement authority, staffing, capacity and expertise. 
Therefore, this section directs the Department to study whether 
it would be feasible or desirable to create a program whereby 
facilities could receive a waiver, on a case-by-case basis, 
subject to their regulatory compliance record with another 
regulator.

Sec. 11. Review of potential effects of attacks on covered chemical 
        facilities on other critical infrastructure

    This section requires the Director of the Cybersecurity and 
Infrastructure Security Agency (CISA), the agency in which the 
CFATS program operates, to review the risk assessment and 
tiering methodology and assess the extent to which it takes 
into account: (1) the nature of the area surrounding the 
facility, the presence of nearby facilities or other critical 
infrastructure, and other features of the community that could 
contribute to the consequences of a terrorist attack or 
exploitation of chemicals of interest; (2) the potential 
effects on the health and economic conditions of communities 
disproportionately vulnerable to the consequences of a 
terrorist attack or exploitation of chemicals of interest; and 
(3) the vulnerabilities of chemical facilities to cybersecurity 
threats, including the vulnerabilities of facilities' 
information technology and operational technology and the 
implications on the potential for penetration of both the 
physical security and cybersecurity of facilities.
    Based on this review, the CISA Director is required to 
develop a plan to ensure such factors are better integrated 
into the risk tiering methodology when it is next updated. It 
also requires the CISA Director to submit a report on the 
tiering methodology review to the Senate Homeland Security and 
Government Affairs Committee, and the House Committees on 
Homeland Security and Energy and Commerce within two years of 
enactment of this Act.
    In the past, Congress has questioned whether DHS is using 
appropriate factors and methodologies to determine which 
facilities are high risk. Currently, DHS does not consider 
factors about the community in which a facility is located--
like whether it is located beside an elementary school or a 
nursing home--or whether neighboring structures (including 
other critical infrastructure) might make the facility a more 
desirable terrorist target. Unlike EPA and other regulators, 
DHS' tiering methodology does not consider potential health 
implications of chemical terrorism, only the number of 
fatalities that could result from an attack.
    There is a substantial body of research showing that many 
chemical facilities are located close to population centers and 
tend to be heavily concentrated in minority and low-income 
communities.\22\ A 2014 report by the Center for Effective 
Government found that one-third of U.S. children attend school 
within impact radius of a chemical facility explosion or 
release.\23\ Low income communities may also have fewer 
resources to devote to emergency response planning and 
personnel. Emergency response procedures at the `fence-line' of 
a chemical facility are often inadequate, and generally involve 
directing people nearby to shelter in place.\24\ Many 
communities also have multiple high-risk chemical facilities 
clustered or concentrated in a single area, which could have 
catastrophic results in the event of a terrorist attack. As 
such, vulnerable populations would likely suffer the worst 
consequences of a chemical explosion or release at a CFATS 
facility. Accordingly, the Committee intends for DHS to take a 
more comprehensive look at the factors that make a facility 
`high risk,' and identify opportunities to align the 
methodology accordingly.
---------------------------------------------------------------------------
    \22\See, e.g., Paul Orum, Environmental Justice and Health Alliance 
for Chemical Policy Reform, Who's in Danger: Race, Poverty, and 
Chemical Disasters (May 2014), http://comingcleaninc.org/assets/media/
images/Reports/Who%27s%20in%20Danger%20Report%20FINAL.pdf.
    \23\Amanda Frank and Seth Moulton, Center for Effective Government, 
Kids in Danger Zones: One in Three U.S. Schoolchildren at Risk from 
Chemical Catastrophes (September 2014), http://www.foreffectivegov.org/
sites/default/files/kids-in-danger-zones-report.pdf.
    \24\Orum, Who's in Danger? at 11.
---------------------------------------------------------------------------

Sec. 12. Comptroller general reports

    This section requires GAO to study and report on the 
effectiveness of risk-based performance standards in protecting 
businesses, employees, the economy, and the public against 
existing and evolving threats. It also requires a GAO study on 
information management around practices, including the 
maintenance and utilization of information on tiering changes 
and areas to improve the identification and dissemination of 
practices to reduce chemical security risks. Finally, it 
requires GAO to study practices to reduce chemical security 
risks, specifically how effectively they are developed and 
distributed, and actions taken in response to practices.

Sec. 13. Voluntary mechanism for reporting drones and other emerging 
        threats

    This section requires the CISA Director, within 120 days, 
to establish a secure platform for facilities to report, on a 
voluntary basis, information on emerging threats, including 
terrorism threats posed by unmanned aircraft systems. The 
Committee expects the platform to support data-mining and other 
advanced analytic tools to access, receive, and analyze data. 
This provision is informed by testimony received in the 115th 
Congress before the Committee on Homeland Security Subcommittee 
on Cybersecurity, Infrastructure Protection, and Innovation, 
which revealed that critical infrastructure owners and 
operators--and the chemical sector in particular--do not have a 
clear, consistent mechanism for reporting unauthorized unmanned 
aerial systems (UAS) activities operating over their facilities 
to DHS.\25\ The Committee believes that this reporting 
mechanism should exist, as it would provide recourse for 
facilities and help inform the Department's understanding of 
the threat landscape.
---------------------------------------------------------------------------
    \25\U.S. House of Representatives Committee on Homeland Security 
Subcommittee on Cybersecurity and Infrastructure Protection hearing 
entitled Industry Views of the Chemical Facility Anti-Terrorism 
Standards Program (Feb. 15, 2018).
---------------------------------------------------------------------------

Sec. 14. Regulations regarding specific products and mixtures 
        containing chemicals of interest

    This section requires the Secretary to issue regulations 
within one year on a process to petition DHS to exclude a 
product or mixture, and clarifies that DHS is not subject to 44 
U.S.C. subchapter I, chapter 35 or 5 U.S.C. 553 for purposes of 
prescribing such regulations. This provision is intended to 
help effectuate the authority provided under section 3 of this 
Act.

Sec. 15. Voluntary program

    This section authorizes the CISA Director to develop a 
voluntary program for chemical facilities to address potential 
security risks at such facilities. The Committee intends for 
this program to be targeted to facilities in the chemical 
sector that are not subject to the CFATS program. The Committee 
believes that the CISA Director should not target this program 
at facilities that have tiered out of the program but rather 
facilities that do not have chemicals of interest to warrant 
submission of Top-Screens and, as such, may have little 
awareness of how they could address potential security risks at 
their facilities.

Sec. 16. Study on local emergency response capacity to respond to 
        chemical security incidents

    This section requires the Secretary, acting through the 
Under Secretary for Science and Technology, to conduct a study 
on how to improve training and support for local emergency 
response providers in areas with high concentrations of covered 
chemical facilities on how to respond to a terrorist attack on 
a chemical facility.

Sec. 17. Previously approved facilities

    This section prohibits the Secretary from requiring a 
facility to resubmit a site security plan solely by reason of 
the enactment of this Act or the amendments made by this Act.

Sec. 18. Termination

    This section amends the date on which authority to carry 
out CFATS terminates to May 1, 2025.

         Changes in Existing Law Made by the Bill, as Reported

  In compliance with clause 3(e) of rule XIII of the Rules of 
the House of Representatives, changes in existing law made by 
the bill, as reported, are shown as follows (existing law 
proposed to be omitted is enclosed in black brackets, new 
matter is printed in italic, and existing law in which no 
change is proposed is shown in roman):

                     HOMELAND SECURITY ACT OF 2002


SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

  (a) Short Title.--This Act may be cited as the ``Homeland 
Security Act of 2002''.
  (b) Table of Contents.--The table of contents for this Act is 
as follows:

Sec. 1. Short title; table of contents.
     * * * * * * *

          TITLE XXI--CHEMICAL FACILITY ANTI-TERRORISM STANDARDS

     * * * * * * *
Sec. 2110. Chemical Security Advisory Committee.
     * * * * * * *

         TITLE XXI--CHEMICAL FACILITY ANTI-TERRORISM STANDARDS

SEC. 2101. DEFINITIONS.

  In this title--
          (1) the term ``CFATS regulation'' means--
                  (A) an existing CFATS regulation; and
                  (B) any regulation or amendment to an 
                existing CFATS regulation issued pursuant to 
                the authority under section 2107;
          (2) the term ``chemical facility of interest'' means 
        a facility that--
                  (A) holds, or that the Secretary has a 
                reasonable basis to believe holds, a chemical 
                of interest, as designated under Appendix A to 
                part 27 of title 6, Code of Federal 
                Regulations, or any successor thereto, at a 
                threshold quantity set pursuant to relevant 
                risk-related security principles; and
                  (B) is not an excluded facility;
          (3) the term ``covered chemical facility'' means a 
        facility that--
                  (A) the Secretary--
                          (i) identifies as a chemical facility 
                        of interest; and
                          (ii) based upon review of the 
                        facility's Top-Screen, determines meets 
                        the risk criteria developed under 
                        section 2102(e)(2)(B); and
                  (B) is not an excluded facility;
          (4) the term ``excluded facility'' means--
                  (A) a facility regulated under the Maritime 
                Transportation Security Act of 2002 (Public Law 
                107-295; 116 Stat. 2064);
                  (B) a public water system, as that term is 
                defined in section 1401 of the Safe Drinking 
                Water Act (42 U.S.C. 300f);
                  (C) a Treatment Works, as that term is 
                defined in section 212 of the Federal Water 
                Pollution Control Act (33 U.S.C. 1292);
                  (D) a facility owned or operated by the 
                Department of Defense or the Department of 
                Energy; or
                  (E) a facility [subject to regulation] 
                regulated by the Nuclear Regulatory Commission, 
                or by a State that has entered into an 
                agreement with the Nuclear Regulatory 
                Commission under section 274 b. of the Atomic 
                Energy Act of 1954 (42 U.S.C. 2021(b)) to 
                protect against unauthorized access of any 
                material, activity, or structure licensed by 
                the Nuclear Regulatory Commission;
          (5) the term ``existing CFATS regulation'' means--
                  (A) a regulation promulgated under section 
                550 of the Department of Homeland Security 
                Appropriations Act, 2007 (Public Law 109-295; 6 
                U.S.C. 121 note) [that is in effect on the day 
                before the date of enactment of the Protecting 
                and Securing Chemical Facilities from Terrorist 
                Attacks Act of 2014] or this title; and
                  (B) a Federal Register notice or other 
                published guidance relating to section 550 of 
                the Department of Homeland Security 
                Appropriations Act, 2007 [that is in effect on 
                the day before the date of enactment of the 
                Protecting and Securing Chemical Facilities 
                from Terrorist Attacks Act of 2014] or this 
                title;
          [(6) the term ``expedited approval facility'' means a 
        covered chemical facility for which the owner or 
        operator elects to submit a site security plan in 
        accordance with section 2102(c)(4);
          [(7) the term ``facially deficient'', relating to a 
        site security plan, means a site security plan that 
        does not support a certification that the security 
        measures in the plan address the security vulnerability 
        assessment and the risk-based performance standards for 
        security for the facility, based on a review of--
                  [(A) the facility's site security plan;
                  [(B) the facility's Top-Screen;
                  [(C) the facility's security vulnerability 
                assessment; or
                  [(D) any other information that--
                          [(i) the facility submits to the 
                        Department; or
                          [(ii) the Department obtains from a 
                        public source or other source;
          [(8) the term ``guidance for expedited approval 
        facilities'' means the guidance issued under section 
        2102(c)(4)(B)(i);]
          [(9)] (6) the term ``risk assessment'' means the 
        Secretary's application of relevant risk criteria 
        identified in section 2102(e)(2)(B);
          [(10)] (7) the term ``terrorist screening database'' 
        means the terrorist screening database maintained by 
        the Federal Government Terrorist Screening Center or 
        its successor;
          [(11)] (8) the term ``tier'' has the meaning given 
        the term in section 27.105 of title 6, Code of Federal 
        Regulations, or any successor thereto;
          [(12)] (9) the terms ``tiering'' and ``tiering 
        methodology'' mean the procedure by which the Secretary 
        assigns a tier to each covered chemical facility based 
        on the risk assessment for that covered chemical 
        facility;
          [(13)] (10) the term ``Top-Screen'' has the meaning 
        given the term in section 27.105 of title 6, Code of 
        Federal Regulations, or any successor thereto; and
          [(14)] (11) the term ``vulnerability assessment'' 
        means the identification of weaknesses in the security 
        of a chemical facility of interest.

SEC. 2102. CHEMICAL FACILITY ANTI-TERRORISM STANDARDS PROGRAM.

  (a) Program Established.--
          (1) In general.--There is in the Department a 
        Chemical Facility Anti-Terrorism Standards Program, 
        which shall be located in the Cybersecurity and 
        Infrastructure Security Agency.
          (2) Requirements.--In carrying out the Chemical 
        Facility Anti-Terrorism Standards Program, the 
        Secretary shall--
                  (A) identify--
                          (i) chemical facilities of interest; 
                        and
                          (ii) covered chemical facilities;
                  (B) require each chemical facility of 
                interest to submit a Top-Screen and any other 
                information the Secretary determines necessary 
                to enable the Department to assess the security 
                risks associated with the facility;
                  (C) establish risk-based performance 
                standards designed to address high levels of 
                security risk at covered chemical facilities; 
                [and]
                  (D) require each covered chemical facility 
                to--
                          (i) submit a security vulnerability 
                        assessment; and
                          (ii) develop, submit, and implement a 
                        site security plan[.]; and
                  (E) verify information submitted by a covered 
                chemical facility prior to assigning such 
                facility a lower risk tier or determining that 
                such facility no longer presents a high level 
                of security risk.
  (b) Security Measures.--
          (1) In general.--A facility, in developing a site 
        security plan as required under subsection (a), shall 
        include security measures that, in combination, 
        appropriately address the security vulnerability 
        assessment and the risk-based performance standards for 
        security for the facility.
          [(2) Employee input.--To the greatest extent 
        practicable, a facility's security vulnerability 
        assessment and site security plan shall include input 
        from at least 1 facility employee and, where 
        applicable, 1 employee representative from the 
        bargaining agent at that facility, each of whom 
        possesses, in the determination of the facility's 
        security officer, relevant knowledge, experience, 
        training, or education as pertains to matters of site 
        security.]
          (2) Employee consultation and awareness.--
                  (A) Employee consultation requirement.--A 
                facility's security vulnerability assessment 
                and site security plan shall be developed in 
                consultation with--
                          (i) at least one facility employee, 
                        in addition to the facility security 
                        officer or other individual who serves 
                        as a point of contact under section 
                        27.230(a)(17) of title 6, Code of 
                        Federal Regulations, and the 
                        corresponding guidance issued under 
                        section 27.220(d) of such title, or any 
                        successor thereto, who possesses 
                        relevant knowledge, experience, 
                        training, or education pertaining to 
                        matters of site security.
                          (ii) in the case of a facility where 
                        facility employees are represented by a 
                        bargaining agent, at least one employee 
                        representative who--
                                  (I) is selected by the 
                                bargaining agent at that 
                                facility; and
                                  (II) has relevant knowledge, 
                                experience, training, or 
                                education pertaining to matters 
                                of site security.
                  (B) Record of employee consultation.--A 
                covered chemical facility shall maintain a 
                written record of the employee consultation 
                required by subparagraph (A), including a 
                record of--
                          (i) the name of the employee with 
                        whom the facility security officer or 
                        other similar official consulted;
                          (ii) how often and when such 
                        consultation took place;
                          (iii) what mechanisms the facility 
                        used to capture feedback; and
                          (iv) any recommendations that were 
                        offered, accepted, or rejected as part 
                        of the security vulnerability 
                        assessment or site security plan.
                  (C) Access to employees.--Each owner or 
                operator of a covered chemical facility shall, 
                upon request, provide to an employee of the 
                Department engaged in carrying out audits and 
                inspections of such facility access to any 
                employee who participated in the development of 
                the facility's security vulnerability 
                assessment and site security plan.
                  (D) Employee awareness.--The Secretary shall 
                produce a poster that a chemical facility of 
                interest shall display in areas accessible to 
                facility employees to inform employees about 
                requirements under this title and the 
                whistleblower protections provided under 
                section 2105.
  (c) Approval or Disapproval of Site Security Plans.--
          (1) In general.--
                  (A) Review.--Except as provided in paragraph 
                (4), the Secretary shall review and approve or 
                disapprove each site security plan submitted 
                pursuant to subsection (a).
                  (B) Bases for disapproval.--The Secretary--
                          (i) may not disapprove a site 
                        security plan based on the presence or 
                        absence of a particular security 
                        measure; [and]
                          [(ii) shall disapprove a site 
                        security plan if the plan fails to 
                        satisfy the risk-based performance 
                        standards established pursuant to 
                        subsection (a)(2)(C).]
                          (ii) shall disapprove a site security 
                        plan if--
                                  (I) the plan fails to satisfy 
                                the risk-based performance 
                                standards established pursuant 
                                to subsection (a)(2)(C); or
                                  (II) the plan fails to 
                                include the name, 
                                organizational affiliation, and 
                                phone number of a local 
                                emergency manager or local 
                                emergency response provider and 
                                a documented policy to contact 
                                the local emergency manager or 
                                local emergency response 
                                provider at least annually 
                                regarding emergency response 
                                plans at the facility.
          (2) Alternative security programs.--
                  (A) Authority to approve.--
                          (i) In general.--The Secretary may 
                        approve an alternative security program 
                        established by a private sector entity 
                        or a Federal, State, or local authority 
                        or under other applicable laws, if the 
                        Secretary determines that the 
                        requirements of the program meet the 
                        requirements under this section.
                          (ii) Additional security measures.--
                        If the requirements of an alternative 
                        security program do not meet the 
                        requirements under this section, the 
                        Secretary may recommend additional 
                        security measures to the program that 
                        will enable the Secretary to approve 
                        the program.
                  (B) Satisfaction of site security plan 
                requirement.--A covered chemical facility may 
                satisfy the site security plan requirement 
                under subsection (a) by adopting an alternative 
                security program that the Secretary has--
                          (i) reviewed and approved under 
                        subparagraph (A); and
                          (ii) determined to be appropriate for 
                        the operations and security concerns of 
                        the covered chemical facility.
          [(3) Site security plan assessments.--
                  [(A) Risk assessment policies and 
                procedures.--In approving or disapproving a 
                site security plan under this subsection, the 
                Secretary shall employ the risk assessment 
                policies and procedures developed under this 
                title.
                  [(B) Previously approved plans.--In the case 
                of a covered chemical facility for which the 
                Secretary approved a site security plan before 
                the date of enactment of the Protecting and 
                Securing Chemical Facilities from Terrorist 
                Attacks Act of 2014, the Secretary may not 
                require the facility to resubmit the site 
                security plan solely by reason of the enactment 
                of this title.
          [(4) Expedited approval program.--
                  [(A) In general.--A covered chemical facility 
                assigned to tier 3 or 4 may meet the 
                requirement to develop and submit a site 
                security plan under subsection (a)(2)(D) by 
                developing and submitting to the Secretary--
                          [(i) a site security plan and the 
                        certification described in subparagraph 
                        (C); or
                          [(ii) a site security plan in 
                        conformance with a template authorized 
                        under subparagraph (H).
                  [(B) Guidance for expedited approval 
                facilities.--
                          [(i) In general.--Not later than 180 
                        days after the date of enactment of the 
                        Protecting and Securing Chemical 
                        Facilities from Terrorist Attacks Act 
                        of 2014, the Secretary shall issue 
                        guidance for expedited approval 
                        facilities that identifies specific 
                        security measures that are sufficient 
                        to meet the risk-based performance 
                        standards.
                          [(ii) Material deviation from 
                        guidance.--If a security measure in the 
                        site security plan of an expedited 
                        approval facility materially deviates 
                        from a security measure in the guidance 
                        for expedited approval facilities, the 
                        site security plan shall include an 
                        explanation of how such security 
                        measure meets the risk-based 
                        performance standards.
                          [(iii) Applicability of other laws to 
                        development and issuance of initial 
                        guidance.--During the period before the 
                        Secretary has met the deadline under 
                        clause (i), in developing and issuing, 
                        or amending, the guidance for expedited 
                        approval facilities under this 
                        subparagraph and in collecting 
                        information from expedited approval 
                        facilities, the Secretary shall not be 
                        subject to--
                                  [(I) section 553 of title 5, 
                                United States Code;
                                  [(II) subchapter I of chapter 
                                35 of title 44, United States 
                                Code; or
                                  [(III) section 2107(b) of 
                                this title.
                  [(C) Certification.--The owner or operator of 
                an expedited approval facility shall submit to 
                the Secretary a certification, signed under 
                penalty of perjury, that--
                          [(i) the owner or operator is 
                        familiar with the requirements of this 
                        title and part 27 of title 6, Code of 
                        Federal Regulations, or any successor 
                        thereto, and the site security plan 
                        being submitted;
                          [(ii) the site security plan includes 
                        the security measures required by 
                        subsection (b);
                          [(iii)(I) the security measures in 
                        the site security plan do not 
                        materially deviate from the guidance 
                        for expedited approval facilities 
                        except where indicated in the site 
                        security plan;
                          [(II) any deviations from the 
                        guidance for expedited approval 
                        facilities in the site security plan 
                        meet the risk-based performance 
                        standards for the tier to which the 
                        facility is assigned; and
                          [(III) the owner or operator has 
                        provided an explanation of how the site 
                        security plan meets the risk-based 
                        performance standards for any material 
                        deviation;
                          [(iv) the owner or operator has 
                        visited, examined, documented, and 
                        verified that the expedited approval 
                        facility meets the criteria set forth 
                        in the site security plan;
                          [(v) the expedited approval facility 
                        has implemented all of the required 
                        performance measures outlined in the 
                        site security plan or set out planned 
                        measures that will be implemented 
                        within a reasonable time period stated 
                        in the site security plan;
                          [(vi) each individual responsible for 
                        implementing the site security plan has 
                        been made aware of the requirements 
                        relevant to the individual's 
                        responsibility contained in the site 
                        security plan and has demonstrated 
                        competency to carry out those 
                        requirements;
                          [(vii) the owner or operator has 
                        committed, or, in the case of planned 
                        measures will commit, the necessary 
                        resources to fully implement the site 
                        security plan; and
                          [(viii) the planned measures include 
                        an adequate procedure for addressing 
                        events beyond the control of the owner 
                        or operator in implementing any planned 
                        measures.
                  [(D) Deadline.--
                          [(i) In general.--Not later than 120 
                        days after the date described in clause 
                        (ii), the owner or operator of an 
                        expedited approval facility shall 
                        submit to the Secretary the site 
                        security plan and the certification 
                        described in subparagraph (C).
                          [(ii) Date.--The date described in 
                        this clause is--
                                  [(I) for an expedited 
                                approval facility that was 
                                assigned to tier 3 or 4 under 
                                existing CFATS regulations 
                                before the date of enactment of 
                                the Protecting and Securing 
                                Chemical Facilities from 
                                Terrorist Attacks Act of 2014, 
                                the date that is 210 days after 
                                the date of enactment of that 
                                Act; and
                                  [(II) for any expedited 
                                approval facility not described 
                                in subclause (I), the later 
                                of--
                                          [(aa) the date on 
                                        which the expedited 
                                        approval facility is 
                                        assigned to tier 3 or 4 
                                        under subsection 
                                        (e)(2)(A); or
                                          [(bb) the date that 
                                        is 210 days after the 
                                        date of enactment of 
                                        the Protecting and 
                                        Securing Chemical 
                                        Facilities from 
                                        Terrorist Attacks Act 
                                        of 2014.
                          [(iii) Notice.--An owner or operator 
                        of an expedited approval facility shall 
                        notify the Secretary of the intent of 
                        the owner or operator to certify the 
                        site security plan for the expedited 
                        approval facility not later than 30 
                        days before the date on which the owner 
                        or operator submits the site security 
                        plan and certification described in 
                        subparagraph (C).
                  [(E) Compliance.--
                          [(i) In general.--For an expedited 
                        approval facility submitting a site 
                        security plan and certification in 
                        accordance with subparagraphs (A), (B), 
                        (C), and (D)--
                                  [(I) the expedited approval 
                                facility shall comply with all 
                                of the requirements of its site 
                                security plan; and
                                  [(II) the Secretary--
                                          [(aa) except as 
                                        provided in 
                                        subparagraph (G), may 
                                        not disapprove the site 
                                        security plan; and
                                          [(bb) may audit and 
                                        inspect the expedited 
                                        approval facility under 
                                        subsection (d) to 
                                        verify compliance with 
                                        its site security plan.
                          [(ii) Noncompliance.--If the 
                        Secretary determines an expedited 
                        approval facility is not in compliance 
                        with the requirements of the site 
                        security plan or is otherwise in 
                        violation of this title, the Secretary 
                        may enforce compliance in accordance 
                        with section 2104.
                  [(F) Amendments to site security plan.--
                          [(i) Requirement.--
                                  [(I) In general.--If the 
                                owner or operator of an 
                                expedited approval facility 
                                amends a site security plan 
                                submitted under subparagraph 
                                (A), the owner or operator 
                                shall submit the amended site 
                                security plan and a 
                                certification relating to the 
                                amended site security plan that 
                                contains the information 
                                described in subparagraph (C).
                                  [(II) Technical amendments.--
                                For purposes of this clause, an 
                                amendment to a site security 
                                plan includes any technical 
                                amendment to the site security 
                                plan.
                          [(ii) Amendment required.--The owner 
                        or operator of an expedited approval 
                        facility shall amend the site security 
                        plan if--
                                  [(I) there is a change in the 
                                design, construction, 
                                operation, or maintenance of 
                                the expedited approval facility 
                                that affects the site security 
                                plan;
                                  [(II) the Secretary requires 
                                additional security measures or 
                                suspends a certification and 
                                recommends additional security 
                                measures under subparagraph 
                                (G); or
                                  [(III) the owner or operator 
                                receives notice from the 
                                Secretary of a change in 
                                tiering under subsection 
                                (e)(3).
                          [(iii) Deadline.--An amended site 
                        security plan and certification shall 
                        be submitted under clause (i)--
                                  [(I) in the case of a change 
                                in design, construction, 
                                operation, or maintenance of 
                                the expedited approval facility 
                                that affects the security plan, 
                                not later than 120 days after 
                                the date on which the change in 
                                design, construction, 
                                operation, or maintenance 
                                occurred;
                                  [(II) in the case of the 
                                Secretary requiring additional 
                                security measures or suspending 
                                a certification and 
                                recommending additional 
                                security measures under 
                                subparagraph (G), not later 
                                than 120 days after the date on 
                                which the owner or operator 
                                receives notice of the 
                                requirement for additional 
                                security measures or suspension 
                                of the certification and 
                                recommendation of additional 
                                security measures; and
                                  [(III) in the case of a 
                                change in tiering, not later 
                                than 120 days after the date on 
                                which the owner or operator 
                                receives notice under 
                                subsection (e)(3).
                  [(G) Facially deficient site security 
                plans.--
                          [(i) Prohibition.--Notwithstanding 
                        subparagraph (A) or (E), the Secretary 
                        may suspend the authority of a covered 
                        chemical facility to certify a site 
                        security plan if the Secretary--
                                  [(I) determines the certified 
                                site security plan or an 
                                amended site security plan is 
                                facially deficient; and
                                  [(II) not later than 100 days 
                                after the date on which the 
                                Secretary receives the site 
                                security plan and 
                                certification, provides the 
                                covered chemical facility with 
                                written notification that the 
                                site security plan is facially 
                                deficient, including a clear 
                                explanation of each deficiency 
                                in the site security plan.
                          [(ii) Additional security measures.--
                                  [(I) In general.--If, during 
                                or after a compliance 
                                inspection of an expedited 
                                approval facility, the 
                                Secretary determines that 
                                planned or implemented security 
                                measures in the site security 
                                plan of the facility are 
                                insufficient to meet the risk-
                                based performance standards 
                                based on misrepresentation, 
                                omission, or an inadequate 
                                description of the site, the 
                                Secretary may--
                                          [(aa) require 
                                        additional security 
                                        measures; or
                                          [(bb) suspend the 
                                        certification of the 
                                        facility.
                                  [(II) Recommendation of 
                                additional security measures.--
                                If the Secretary suspends the 
                                certification of an expedited 
                                approval facility under 
                                subclause (I), the Secretary 
                                shall--
                                          [(aa) recommend 
                                        specific additional 
                                        security measures that, 
                                        if made part of the 
                                        site security plan by 
                                        the facility, would 
                                        enable the Secretary to 
                                        approve the site 
                                        security plan; and
                                          [(bb) provide the 
                                        facility an opportunity 
                                        to submit a new or 
                                        modified site security 
                                        plan and certification 
                                        under subparagraph (A).
                                  [(III) Submission; review.--
                                If an expedited approval 
                                facility determines to submit a 
                                new or modified site security 
                                plan and certification as 
                                authorized under subclause 
                                (II)(bb)--
                                          [(aa) not later than 
                                        90 days after the date 
                                        on which the facility 
                                        receives 
                                        recommendations under 
                                        subclause (II)(aa), the 
                                        facility shall submit 
                                        the new or modified 
                                        plan and certification; 
                                        and
                                          [(bb) not later than 
                                        45 days after the date 
                                        on which the Secretary 
                                        receives the new or 
                                        modified plan under 
                                        item (aa), the 
                                        Secretary shall review 
                                        the plan and determine 
                                        whether the plan is 
                                        facially deficient.
                                  [(IV) Determination not to 
                                include additional security 
                                measures.--
                                          [(aa) Revocation of 
                                        certification.--If an 
                                        expedited approval 
                                        facility does not agree 
                                        to include in its site 
                                        security plan specific 
                                        additional security 
                                        measures recommended by 
                                        the Secretary under 
                                        subclause (II)(aa), or 
                                        does not submit a new 
                                        or modified site 
                                        security plan in 
                                        accordance with 
                                        subclause (III), the 
                                        Secretary may revoke 
                                        the certification of 
                                        the facility by issuing 
                                        an order under section 
                                        2104(a)(1)(B).
                                          [(bb) Effect of 
                                        revocation.--If the 
                                        Secretary revokes the 
                                        certification of an 
                                        expedited approval 
                                        facility under item 
                                        (aa) by issuing an 
                                        order under section 
                                        2104(a)(1)(B)--
                                                  [(AA) the 
                                                order shall 
                                                require the 
                                                owner or 
                                                operator of the 
                                                facility to 
                                                submit a site 
                                                security plan 
                                                or alternative 
                                                security 
                                                program for 
                                                review by the 
                                                Secretary 
                                                review under 
                                                subsection 
                                                (c)(1); and
                                                  [(BB) the 
                                                facility shall 
                                                no longer be 
                                                eligible to 
                                                certify a site 
                                                security plan 
                                                under this 
                                                paragraph.
                                  [(V) Facial deficiency.--If 
                                the Secretary determines that a 
                                new or modified site security 
                                plan submitted by an expedited 
                                approval facility under 
                                subclause (III) is facially 
                                deficient--
                                          [(aa) not later than 
                                        120 days after the date 
                                        of the determination, 
                                        the owner or operator 
                                        of the facility shall 
                                        submit a site security 
                                        plan or alternative 
                                        security program for 
                                        review by the Secretary 
                                        under subsection 
                                        (c)(1); and
                                          [(bb) the facility 
                                        shall no longer be 
                                        eligible to certify a 
                                        site security plan 
                                        under this paragraph.
                  [(H) Templates.--
                          [(i) In general.--The Secretary may 
                        develop prescriptive site security plan 
                        templates with specific security 
                        measures to meet the risk-based 
                        performance standards under subsection 
                        (a)(2)(C) for adoption and 
                        certification by a covered chemical 
                        facility assigned to tier 3 or 4 in 
                        lieu of developing and certifying its 
                        own plan.
                          [(ii) Applicability of other laws to 
                        development and issuance of initial 
                        site security plan templates and 
                        related guidance.--During the period 
                        before the Secretary has met the 
                        deadline under subparagraph (B)(i), in 
                        developing and issuing, or amending, 
                        the site security plan templates under 
                        this subparagraph, in issuing guidance 
                        for implementation of the templates, 
                        and in collecting information from 
                        expedited approval facilities, the 
                        Secretary shall not be subject to--
                                  [(I) section 553 of title 5, 
                                United States Code;
                                  [(II) subchapter I of chapter 
                                35 of title 44, United States 
                                Code; or
                                  [(III) section 2107(b) of 
                                this title.
                          [(iii) Rule of construction.--Nothing 
                        in this subparagraph shall be construed 
                        to prevent a covered chemical facility 
                        from developing and certifying its own 
                        security plan in accordance with 
                        subparagraph (A).
                  [(I) Evaluation.--
                          [(i) In general.--Not later than 18 
                        months after the date of enactment of 
                        the Protecting and Securing Chemical 
                        Facilities from Terrorist Attacks Act 
                        of 2014, the Secretary shall take any 
                        appropriate action necessary for a full 
                        evaluation of the expedited approval 
                        program authorized under this 
                        paragraph, including conducting an 
                        appropriate number of inspections, as 
                        authorized under subsection (d), of 
                        expedited approval facilities.
                          [(ii) Report.--Not later than 18 
                        months after the date of enactment of 
                        the Protecting and Securing Chemical 
                        Facilities from Terrorist Attacks Act 
                        of 2014, the Secretary shall submit to 
                        the Committee on Homeland Security and 
                        Governmental Affairs of the Senate and 
                        the Committee on Homeland Security and 
                        the Committee on Energy and Commerce of 
                        the House of Representatives a report 
                        that contains--
                                  [(I)(aa) the number of 
                                eligible facilities using the 
                                expedited approval program 
                                authorized under this 
                                paragraph; and
                                  [(bb) the number of 
                                facilities that are eligible 
                                for the expedited approval 
                                program but are using the 
                                standard process for developing 
                                and submitting a site security 
                                plan under subsection 
                                (a)(2)(D);
                                  [(II) any costs and 
                                efficiencies associated with 
                                the expedited approval program;
                                  [(III) the impact of the 
                                expedited approval program on 
                                the backlog for site security 
                                plan approval and authorization 
                                inspections;
                                  [(IV) an assessment of the 
                                ability of expedited approval 
                                facilities to submit facially 
                                sufficient site security plans;
                                  [(V) an assessment of any 
                                impact of the expedited 
                                approval program on the 
                                security of chemical 
                                facilities; and
                                  [(VI) a recommendation by the 
                                Secretary on the frequency of 
                                compliance inspections that may 
                                be required for expedited 
                                approval facilities.]
          (3) Site security plan assessments.--In approving or 
        disapproving a site security plan under this 
        subsection, the Secretary shall--
                  (A) employ the risk assessment policies and 
                procedures developed under this title; and
                  (B) confirm that the covered chemical 
                facility has complied with the employee 
                consultation requirements in paragraph (2) of 
                subsection (b), including by reviewing and 
                recording compliance with the record-keeping 
                requirements under subparagraph (B) of that 
                paragraph.
  (d) Compliance.--
          (1) Audits and inspections.--
                  (A) Definitions.--In this paragraph--
                          (i) the term ``nondepartmental''--
                                  (I) with respect to 
                                personnel, means personnel that 
                                is not employed by the 
                                Department; and
                                  (II) with respect to an 
                                entity, means an entity that is 
                                not a component or other 
                                authority of the Department; 
                                and
                          (ii) the term ``nongovernmental''--
                                  (I) with respect to 
                                personnel, means personnel that 
                                is not employed by the Federal 
                                Government; and
                                  (II) with respect to an 
                                entity, means an entity that is 
                                not an agency, department, or 
                                other authority of the Federal 
                                Government.
                  (B) Authority to conduct audits and 
                inspections.--The Secretary shall conduct 
                audits or inspections [under this title using] 
                at chemical facilities of interest and covered 
                chemical facilities and shall obtain 
                information and records to ensure compliance 
                with this title. Such audits and inspections 
                shall be conducted using--
                          (i) employees of the Department;
                          (ii) nondepartmental or 
                        nongovernmental personnel approved by 
                        the Secretary; or
                          (iii) a combination of individuals 
                        described in clauses (i) and (ii).
                  (C) Support personnel.--The Secretary may use 
                nongovernmental personnel to provide 
                administrative and logistical services in 
                support of audits and inspections under this 
                title.
                  (D) Reporting structure.--
                          (i) Nondepartmental and 
                        nongovernmental audits and 
                        inspections.--Any audit or inspection 
                        conducted by an individual employed by 
                        a nondepartmental or nongovernmental 
                        entity shall be assigned in 
                        coordination with a regional supervisor 
                        with responsibility for supervising 
                        inspectors within the Infrastructure 
                        Security Compliance Division of the 
                        Department, or any successor 
                        organization that implements the 
                        requirements of subsection (a)(2), for 
                        the region in which the audit or 
                        inspection is to be conducted.
                          (ii) Requirement to report.--While an 
                        individual employed by a 
                        nondepartmental or nongovernmental 
                        entity is in the field conducting an 
                        audit or inspection under this 
                        subsection, the individual shall report 
                        to the regional supervisor with 
                        responsibility for supervising 
                        inspectors within the Infrastructure 
                        Security Compliance Division of the 
                        Department, or any successor 
                        organization that implements the 
                        requirements of subsection (a)(2), for 
                        the region in which the individual is 
                        operating.
                          (iii) Approval.--The authority to 
                        approve a site security plan under 
                        subsection (c) or determine if a 
                        covered chemical facility is in 
                        compliance with an approved site 
                        security plan shall be exercised solely 
                        by the Secretary or a designee of the 
                        Secretary within the Department.
                  (E) Standards for auditors and inspectors.--
                [The Secretary] For each individual responsible 
                for carrying out audits or inspections on 
                behalf of the Secretary, the Secretary shall 
                prescribe standards for to ensure such 
                individuals receive the training [and 
                retraining of each individual used by the 
                Department as an auditor or inspector, 
                including each individual employed by the 
                Department and all nondepartmental or 
                nongovernmental personnel], continuing 
                education, and other professional development 
                tools necessary to carry out duties and 
                responsibilities, including--
                          (i) minimum training [requirements] 
                        necessary to audit and inspect 
                        compliance with all aspects of the 
                        risk-based performance standards, 
                        including standards related to 
                        cybersecurity, for new auditors and 
                        inspectors;
                          (ii) retraining requirements;
                          (iii) minimum education and 
                        experience levels;
                          (iv) the submission of information as 
                        required by the Secretary to enable 
                        determination of whether the auditor or 
                        inspector has a conflict of interest;
                          (v) the proper certification or 
                        certifications necessary to handle 
                        chemical-terrorism vulnerability 
                        information (as defined in section 
                        27.105 of title 6, Code of Federal 
                        Regulations, or any successor thereto);
                          (vi) the proper credential or 
                        certification necessary to conduct 
                        inspections related to the 
                        cybersecurity standard.
                          [(vi)] (vii) the reporting of any 
                        issue of non-compliance with this 
                        section to the Secretary within 24 
                        hours; and
                          [(vii)] (viii) any additional 
                        qualifications for fitness of duty as 
                        the Secretary may require.
                  (F) Conditions for nongovernmental auditors 
                and inspectors.--If the Secretary arranges for 
                an audit or inspection under subparagraph (B) 
                to be carried out by a nongovernmental entity, 
                the Secretary shall--
                          (i) prescribe standards for the 
                        qualification of the individuals who 
                        carry out such audits and inspections 
                        that are commensurate with the 
                        standards for similar Government 
                        auditors or inspectors; and
                          (ii) ensure that any duties carried 
                        out by a nongovernmental entity are not 
                        inherently governmental functions.
          (2) Personnel surety.--
                  (A) Personnel surety program.--For purposes 
                of this title, the Secretary shall establish 
                and carry out a Personnel Surety Program that--
                          (i) does not require an owner or 
                        operator of a covered chemical facility 
                        that voluntarily participates in the 
                        program to submit information about an 
                        individual more than 1 time;
                          (ii) provides a participating owner 
                        or operator of a covered chemical 
                        facility with relevant information 
                        about an individual based on vetting 
                        the individual against the terrorist 
                        screening database, to the extent that 
                        such feedback is necessary for the 
                        facility to be in compliance with 
                        regulations promulgated under this 
                        title; and
                          (iii) provides redress to an 
                        individual--
                                  (I) whose information was 
                                vetted against the terrorist 
                                screening database under the 
                                program; and
                                  (II) who believes that the 
                                personally identifiable 
                                information submitted to the 
                                Department for such vetting by 
                                a covered chemical facility, or 
                                its designated representative, 
                                was inaccurate.
                  (B) Personnel surety program 
                implementation.--To the extent that a risk-
                based performance standard established under 
                subsection (a) requires identifying individuals 
                with ties to terrorism--
                          (i) a covered chemical facility--
                                  (I) may satisfy its 
                                obligation under the standard 
                                by using any Federal screening 
                                program that periodically vets 
                                individuals against the 
                                terrorist screening database, 
                                or any successor program, 
                                including the Personnel Surety 
                                Program established under 
                                subparagraph (A); and
                                  (II) shall--
                                          (aa) accept a 
                                        credential from a 
                                        Federal screening 
                                        program described in 
                                        subclause (I) if an 
                                        individual who is 
                                        required to be screened 
                                        presents such a 
                                        credential; and
                                          (bb) address in its 
                                        site security plan or 
                                        alternative security 
                                        program the measures it 
                                        will take to verify 
                                        that a credential or 
                                        documentation from a 
                                        Federal screening 
                                        program described in 
                                        subclause (I) is 
                                        current;
                          (ii) visual inspection shall be 
                        sufficient to meet the requirement 
                        under clause (i)(II)(bb), but the 
                        facility should consider other means of 
                        verification, consistent with the 
                        facility's assessment of the threat 
                        posed by acceptance of such 
                        credentials; and
                          (iii) the Secretary may not require a 
                        covered chemical facility to submit any 
                        information about an individual unless 
                        the individual--
                                  (I) is to be vetted under the 
                                Personnel Surety Program; or
                                  (II) has been identified as 
                                presenting a terrorism security 
                                risk.
                  (C) Rights unaffected.--Nothing in this 
                section shall supersede the ability--
                          (i) of a facility to maintain its own 
                        policies regarding the access of 
                        individuals to restricted areas or 
                        critical assets; or
                          (ii) of an employing facility and a 
                        bargaining agent, where applicable, to 
                        negotiate as to how the results of a 
                        background check may be used by the 
                        facility with respect to employment 
                        status.
          (3) Availability of information.--The Secretary shall 
        share with the owner or operator of a covered chemical 
        facility any information that the owner or operator 
        needs to comply with this section.
          (4) Audit of emergency response plan.--As part of the 
        audit and inspection process under this subsection, the 
        Secretary shall annually confirm compliance of a 
        chemical facility with the requirements under 
        subsection (c)(1)(B)(ii)(II) including adherence to the 
        facility's documented policy to contact the local 
        emergency manager or local emergency response provider 
        at least annually regarding emergency response plans at 
        the facility under such subsection.
  (e) Responsibilities of the Secretary.--
          (1) Identification of chemical facilities of 
        interest.--In carrying out this title, the Secretary 
        shall consult with the heads of other Federal agencies, 
        States and political subdivisions thereof, relevant 
        business associations, and public and private labor 
        organizations to identify all chemical facilities of 
        interest.
          (2) Risk assessment.--
                  (A) In general.--For purposes of this title, 
                the Secretary shall develop a security risk 
                assessment approach and corresponding tiering 
                methodology for covered chemical facilities 
                that incorporates the relevant elements of 
                risk, including threat, vulnerability, and 
                consequence.
                  (B) Criteria for determining security risk.--
                The criteria for determining the security risk 
                of terrorism and other malicious acts 
                associated with a covered chemical facility 
                shall take into account--
                          (i) relevant threat information;
                          (ii) potential [severe economic 
                        consequences and the potential loss of 
                        human life in the event of the facility 
                        being subject to attack, compromise, 
                        infiltration, or exploitation by 
                        terrorists] consequences in event of 
                        the facility being subject to attack, 
                        compromise, infiltration, or the 
                        exploitation of chemicals of interest 
                        by a terrorist or other malicious 
                        actor; and
                          (iii) vulnerability of the facility 
                        to attack, compromise, infiltration, or 
                        exploitation by terrorists.
          (3) Changes in tiering.--
                  (A) Maintenance of records.--The Secretary 
                shall document the basis for each instance in 
                which--
                          (i) the Secretary determines that a 
                        chemical facility of interest does not 
                        present a high level of security risk;
                          [(i)] (ii) tiering for a covered 
                        chemical facility is changed; or
                          [(ii)] (iii) a covered chemical 
                        facility or chemical facility of 
                        interest is determined to no longer be 
                        subject to the requirements under this 
                        title.
                  (B) Required information.--The records 
                maintained under subparagraph (A) shall include 
                [information on whether and how the Secretary 
                confirmed the information that was the basis 
                for the change or determination described in 
                subparagraph (A).] information on--
                          (i) how the Secretary confirmed the 
                        information that was the basis for the 
                        change or determination described in 
                        subparagraph (A); and
                          (ii) actions taken or practices 
                        employed by the facility to reduce or 
                        remove terrorism-related chemical 
                        security risks, where applicable.
                  (C) Treatment of certain information.--For 
                the purposes of subsection (a) of section 
                2103--
                          (i) information described in 
                        subparagraph (B)(i) shall be given 
                        protections from public disclosure 
                        under such subsection; and
                          (ii) information described in 
                        subparagraph (B)(ii) shall not be given 
                        protections from public disclosure 
                        under such subsection.
          (4) Sharing information with emergency response 
        providers.--
                  (A) In general.--The Secretary shall make 
                available to State, local, and regional fusion 
                centers (as that term is defined in section 
                210A(j)(1) of this Act) and State and local 
                government officials such information as the 
                Secretary determines necessary to ensure that 
                emergency response providers are prepared and 
                provided with the situational awareness needed 
                to respond to security incidents at covered 
                chemical facilities.
                  (B) Dissemination.--The Secretary shall 
                disseminate information under subparagraph (A) 
                to individuals identified and entities 
                described in such subparagraph in a secure and 
                expeditious manner.
          (5) Practices that may reduce chemical security 
        risks.--
                  (A) In general.--Based on the information 
                maintained under paragraph (3)(B)(ii) regarding 
                actions taken or practices employed by chemical 
                facilities of interest to successfully reduce 
                or remove terrorism-related chemical security 
                risks, the Secretary shall develop voluntary, 
                publicly available practices that could be used 
                to guide other facility owners and operators in 
                preventing, reducing, and mitigating chemical 
                security risks.
                  (B) Treatment of sensitive information.--In 
                developing and disseminating practices under 
                subparagraph (A), the Secretary shall protect 
                from public disclosure all information 
                described in section 2103(a).
          (6) Congressional notification.--Any time a 
        determination is not made with respect to a chemical 
        facility of interest within 9 months of the facility 
        submitting a Top-Screen, the Secretary shall notify the 
        Committees on Homeland Security and Energy and Commerce 
        of the House and the Committee on Homeland Security and 
        Governmental Affairs of the Senate and provide an 
        explanation.
          [(4)] (7) Semiannual performance reporting.--Not 
        later than 6 months after the date of enactment of the 
        Protecting and Securing Chemical Facilities from 
        Terrorist Attacks Act of 2014, and not less frequently 
        than once every 6 months thereafter, the Secretary 
        shall submit to the Committee on Homeland Security and 
        Governmental Affairs of the Senate and the Committee on 
        Homeland Security and the Committee on Energy and 
        Commerce of the House of Representatives a report that 
        includes, for the period covered by the report--
                  (A) the number of covered chemical facilities 
                in the United States;
                  (B) information--
                          (i) describing--
                                  (I) the number of instances 
                                in which the Secretary--
                                          (aa) placed a covered 
                                        chemical facility in a 
                                        lower risk tier; [or]
                                          (bb) determined that 
                                        a facility that had 
                                        previously met the 
                                        criteria for a covered 
                                        chemical facility under 
                                        section 2101(3) no 
                                        longer met the 
                                        criteria; [and] or
                                          (cc) determined that 
                                        a chemical facility of 
                                        interest did not 
                                        present a high level of 
                                        risk; and
                                  (II) the basis, in summary 
                                form, for each action or 
                                determination under subclause 
                                (I); and
                          (ii) that is provided in a 
                        sufficiently anonymized form to ensure 
                        that the information does not identify 
                        any specific facility or company as the 
                        source of the information when viewed 
                        alone or in combination with other 
                        public information;
                  [(C) the average number of days spent 
                reviewing site security or an alternative 
                security program for a covered chemical 
                facility prior to approval;]
                  (C) for the period beginning on the date that 
                is one year before the date of the enactment of 
                the Protecting and Securing Chemical Facilities 
                from Terrorist Attacks Act of 2019 and ending 
                on the date of the enactment of such Act, the 
                average length of time required to--
                          (i) review and approve site security 
                        plans or alternative security programs 
                        for covered chemical facilities;
                          (ii) ensure a facility has achieved 
                        full implementation of planned security 
                        measures; and
                          (iii) conduct a compliance 
                        inspection, including the average 
                        length of time inspectors spend on an 
                        individual compliance inspection;
                  (D) the number of covered chemical facilities 
                inspected;
                  (E) the average number of covered chemical 
                facilities inspected per inspector; [and]
                  (F) a detailed summary of reports and other 
                information generated under paragraph (3) 
                regarding facilities that receive a change in 
                tier or that are determined not to present a 
                high level of security risk;
                  (G) a detailed summary of practices 
                identified and disseminated under such 
                paragraph;
                  (H) actions taken and results produced in 
                implementing the practices, to the extent 
                feasible; and
                  [(F)] (I) any other information that the 
                Secretary determines will be helpful to 
                Congress in evaluating the performance of the 
                Chemical Facility Anti-Terrorism Standards 
                Program.
  (f) Specific products and mixtures containing chemicals of 
interest The Secretary may exclude a specific product or 
mixture that contains a chemical of interest at or above the 
minimum concentration listed on Appendix A to part 27 of title 
6, Code of Federal Regulations, or any successor thereto, from 
any reporting requirements under this section if the Secretary 
determines that the product or mixture does not present a 
terrorism risk for which the chemical of interest contained 
within the product or mixture was included on Appendix A.

SEC. 2103. PROTECTION AND SHARING OF INFORMATION.

  (a) In General.--Notwithstanding any other provision of law, 
information developed under this title, including vulnerability 
assessments, site security plans, and other security related 
information, records, and documents shall be given protections 
from public disclosure consistent with the protection of 
similar information under section 70103(d) of title 46, United 
States Code.
  [(b) Sharing of Information With States and Local 
Governments.--Nothing in this section shall be construed to 
prohibit the sharing of information developed under this title, 
as the Secretary determines appropriate, with State and local 
government officials possessing a need to know and the 
necessary security clearances, including law enforcement 
officials and first responders, for the purpose of carrying out 
this title, provided that such information may not be disclosed 
pursuant to any State or local law.
  [(c) Sharing of Information With First Responders.--
          [(1) Requirement.--The Secretary shall provide to 
        State, local, and regional fusion centers (as that term 
        is defined in section 210A(j)(1)) and State and local 
        government officials, as the Secretary determines 
        appropriate, such information as is necessary to help 
        ensure that first responders are properly prepared and 
        provided with the situational awareness needed to 
        respond to security incidents at covered chemical 
        facilities.
          [(2) Dissemination.--The Secretary shall disseminate 
        information under paragraph (1) through a medium or 
        system determined by the Secretary to be appropriate to 
        ensure the secure and expeditious dissemination of such 
        information to necessary selected individuals.]
  (b) Authorized Recipients of Information.--The Secretary 
shall make available, upon request, information protected 
pursuant to subsection (a) to the following recipients:
          (1) State and local government officials, including 
        law enforcement and emergency response providers, with 
        respect to information on any chemical facility of 
        interest within the jurisdiction of the official, but 
        only if such information may not be disclosed pursuant 
        to any State or local law.
          (2) Members of Congress.
          (3) Members of the Chemical Security Advisory 
        Committee under section 2010, in the course of 
        conducting official duties and responsibilities as 
        described in such section.
          (4) The Comptroller General of the United States.
  (c) Information Developed for Other Purposes.--Nothing in 
this section shall be construed to prohibit a chemical facility 
of interest from disclosing information that was not created 
solely for the purpose of meeting the requirements of this 
title.
  (d) Enforcement Proceedings.--In any proceeding to enforce 
this section, vulnerability assessments, site security plans, 
and other information submitted to or obtained by the Secretary 
under this title, and related vulnerability or security 
information, shall be treated as if the information were 
classified information.
  (e) Availability of Information.--Notwithstanding any other 
provision of law (including section 552(b)(3) of title 5, 
United States Code), section 552 of title 5, United States Code 
(commonly known as the ``Freedom of Information Act'') shall 
not apply to information protected from public disclosure 
pursuant to subsection (a) of this section.
  [(f) Sharing of Information With Members of Congress.--
Nothing in this section shall prohibit the Secretary from 
disclosing information developed under this title to a Member 
of Congress in response to a request by a Member of Congress.]

SEC. 2104. CIVIL ENFORCEMENT.

  (a) Notice of Noncompliance.--
          (1) Notice.--If the Secretary determines that a 
        covered chemical facility is not in compliance with 
        this title, the Secretary shall--
                  (A) provide the owner or operator of the 
                facility with--
                          (i) not later than [14 days after 
                        date on which] three days after the 
                        date on which the Secretary makes the 
                        determination, a written notification 
                        of noncompliance that includes a clear 
                        explanation of any deficiency in the 
                        security vulnerability assessment or 
                        site security plan; and
                          (ii) an opportunity for consultation 
                        with the Secretary or the Secretary's 
                        designee; and
                  (B) issue to the owner or operator of the 
                facility an order to comply with this title by 
                a date specified by the Secretary in the order, 
                which date shall be not later than [180 days] 
                30 days after the date on which the Secretary 
                issues the order.
          (2) Continued noncompliance.--If an owner or operator 
        remains noncompliant after the procedures outlined in 
        paragraph (1) have been executed, or demonstrates 
        repeated violations of this title, the Secretary may 
        enter an order in accordance with this section 
        assessing a civil penalty, an order to cease 
        operations, or both.
  (b) Civil Penalties.--
          (1) Violations of orders.--Any person who violates an 
        order issued under this title shall be liable for a 
        civil penalty under section 70119(a) of title 46, 
        United States Code.
          (2) Non-reporting chemical facilities of interest.--
        Any owner of a chemical facility of interest who fails 
        to comply with section 2102(a)(2)(B) or any requirement 
        issued by the Secretary thereunder, or knowingly 
        submits false information under, this title or the 
        CFATS regulations shall be liable for a civil penalty 
        under section 70119(a) of title 46, United States Code.
  (c) Emergency Orders.--
          (1) In general.--Notwithstanding subsection (a) or 
        any site security plan or alternative security program 
        approved under this title, if the Secretary determines 
        that there is an imminent threat of death, serious 
        illness, or severe personal injury, due to a violation 
        of this title or the risk of a terrorist incident or 
        other malicious act that may affect a chemical facility 
        of interest, the Secretary--
                  (A) shall consult with the facility, if 
                practicable, on steps to mitigate the risk; and
                  (B) may order the facility, without notice or 
                opportunity for a hearing, effective 
                immediately or as soon as practicable, to--
                          (i) implement appropriate emergency 
                        security measures; or
                          (ii) cease or reduce some or all 
                        operations, in accordance with safe 
                        shutdown procedures, if the Secretary 
                        determines that such a cessation or 
                        reduction of operations is the most 
                        appropriate means to address the risk.
          (2) Limitation on delegation.--The Secretary may not 
        delegate the authority under paragraph (1) to any 
        official other than the Director of Cybersecurity and 
        Infrastructure Security.
          (3) Limitation on authority.--The Secretary may 
        exercise the authority under this subsection only to 
        the extent necessary to abate the imminent threat 
        determination under paragraph (1).
          (4) Due process for facility owner or operator.--
                  (A) Written orders.--An order issued by the 
                Secretary under paragraph (1) shall be in the 
                form of a written emergency order that--
                          (i) describes the violation or risk 
                        that creates the imminent threat;
                          (ii) states the security measures or 
                        order issued or imposed; and
                          (iii) describes the standards and 
                        procedures for obtaining relief from 
                        the order.
                  (B) Opportunity for review.--After issuing an 
                order under paragraph (1) with respect to a 
                chemical facility of interest, the Secretary 
                shall provide for review of the order under 
                section 554 of title 5 if a petition for review 
                is filed not later than 20 days after the date 
                on which the Secretary issues the order.
                  (C) Expiration of effectiveness of order.--If 
                a petition for review of an order is filed 
                under subparagraph (B) and the review under 
                that paragraph is not completed by the last day 
                of the 30-day period beginning on the date on 
                which the petition is filed, the order shall 
                vacate automatically at the end of that period 
                unless the Secretary determines, in writing, 
                that the imminent threat providing a basis for 
                the order continues to exist.
  (d) Right of Action.--Nothing in this title confers upon any 
person except the Secretary or his or her designee a right of 
action against an owner or operator of a covered chemical 
facility to enforce any provision of this title, except as 
provided in section 2105(a)(5) regarding whistleblower 
retaliation.

SEC. 2105. WHISTLEBLOWER PROTECTIONS.

  (a) Procedure for Reporting Problems.--
          (1) Establishment of a reporting procedure.--[Not 
        later than 180 days after the date of enactment of the 
        Protecting and Securing Chemical Facilities from 
        Terrorist Attacks Act of 2014, the Secretary] The 
        Secretary shall establish, and provide information to 
        the public regarding, a procedure under which any 
        employee or contractor of a chemical facility of 
        interest may submit a report to the Secretary regarding 
        a violation of a requirement under this title.
          [(2) Confidentiality.--The Secretary shall keep 
        confidential the identity of an individual who submits 
        a report under paragraph (1) and any such report shall 
        be treated as a record containing protected information 
        to the extent that the report does not consist of 
        publicly available information.
          [(3) Acknowledgment of receipt.--If a report 
        submitted under paragraph (1) identifies the individual 
        making the report, the Secretary shall promptly respond 
        to the individual directly and shall promptly 
        acknowledge receipt of the report.]
          (2) Confidentiality.--
                  (A) In general.--Except as provided in 
                subparagraph (B), in the absence of the written 
                consent of an individual who submits a report 
                under paragraph (1)--
                          (i) the Secretary shall keep 
                        confidential the identity of and any 
                        identifying information relating to 
                        that individual; and
                          (ii) any such report shall be subject 
                        to the protections on information under 
                        section 2103 of this Act to the extent 
                        that the report does not consist of 
                        publicly available information.
                  (B) Notice.--In a case in which it is 
                necessary to disclose the identity of or any 
                identifying information relating to an 
                individual who submits a report under paragraph 
                (1) because it is essential to investigate the 
                information contained in the report or because 
                of compulsory legal process, the Secretary 
                shall provide timely advance notice to the 
                individual of such disclosure.
          (3) Response to reports.--If a report submitted under 
        paragraph (1) contains information identifying the 
        individual making the report, the Secretary, or the 
        designee of the Secretary shall, by not later than 15 
        days after the date on which the report is received, 
        respond to the individual directly and acknowledge 
        receipt of the report.
          (4) Steps to address problems.--The Secretary--
                  (A) shall review and consider the information 
                provided in any report submitted under 
                paragraph (1); and
                  (B) may take action under section 2104 of 
                this title if necessary to address any 
                substantiated violation of a requirement under 
                this title identified in the report.
          (5) Due process for facility owner or operator.--
                  (A) In general.--If, upon the review 
                described in paragraph (4), the Secretary 
                determines that a violation of a provision of 
                this title, or a regulation prescribed under 
                this title, has occurred, the Secretary may--
                          (i) institute a civil enforcement 
                        under section 2104(a) of this title; or
                          (ii) if the Secretary makes the 
                        determination under section 2104(c), 
                        issue an emergency order.
                  (B) Written orders.--The action of the 
                Secretary under paragraph (4) shall be in a 
                written form that--
                          (i) describes the violation;
                          (ii) states the authority under which 
                        the Secretary is proceeding; and
                          (iii) describes the standards and 
                        procedures for obtaining relief from 
                        the order.
                  [(C) Opportunity for review.--After taking 
                action under paragraph (4), the Secretary shall 
                provide for review of the action if a petition 
                for review is filed within 20 calendar days of 
                the date of issuance of the order for the 
                action.]
                  (C) Opportunity for review.--In any action 
                under paragraph (4) that is based on 
                information received under the procedure 
                established under paragraph (1), the Secretary 
                shall provide for review of the action if a 
                petition for review is filed within 20 calendar 
                days of the date of issuance of the order for 
                the action.
                  (D) Expiration of effectiveness of order.--If 
                a petition for review of an action is filed 
                under subparagraph (C) and the review under 
                that subparagraph is not completed by the end 
                of the 30-day period beginning on the date the 
                petition is filed, the action shall cease to be 
                effective at the end of such period [unless the 
                Secretary determines], except that the 
                Secretary may provide for a 30-day extension if 
                the Secretary determines, in writing, [that the 
                violation providing a basis for the action 
                continues to exist.] that--
                          (i) the violation providing a basis 
                        for the action continues to exist; or
                          (ii) such period is insufficient to 
                        complete the review of the action.
          (6) Retaliation prohibited.--
                  (A) In general.--An owner or operator of a 
                chemical facility of interest or agent thereof 
                may not [discharge an employee or otherwise 
                discriminate against an employee with respect 
                to the compensation provided to, or terms, 
                conditions, or privileges of the employment of, 
                the employee because the employee (or an 
                individual acting pursuant to a request of the 
                employee) submitted a report under paragraph 
                (1).] discharge an employee or otherwise 
                discriminate against an employee or former 
                employee with respect to the compensation 
                provided to, or terms, conditions, or 
                privileges associated with current or past 
                employment of, the employee or former employee 
                because the employee or former employee (or an 
                individual acting pursuant to a request of the 
                employee or former employee) submitted a report 
                under paragraph (1).
                  (B) Exception.--An employee or former 
                employee shall not be entitled to the 
                protections under this section if the employee 
                or former employee (or an individual acting 
                pursuant to a request of the employee or former 
                employee)--
                          (i) knowingly and willfully makes any 
                        false, fictitious, or fraudulent 
                        statement or representation; or
                          (ii) uses any false writing or 
                        document knowing the writing or 
                        document contains any false, 
                        fictitious, or fraudulent statement or 
                        entry.
                  (C) Procedure and remedy.--
                          (i) In general.--The Secretary shall 
                        establish a procedure for the review 
                        and investigation of complaints of 
                        reprisals prohibited under subparagraph 
                        (A) and for remedies for violations of 
                        such subparagraph.
                          (ii) Judicial remedies.--Nothing in 
                        this title shall be construed to deny 
                        an individual who submits a complaint 
                        for any reprisal prohibited under 
                        subparagraph (A) from seeking a 
                        judicial remedy against the owner or 
                        operator of the chemical facility of 
                        interest as long as the individual has 
                        exhausted administrative remedies.
  (b) Protected Disclosures.--Nothing in this title shall be 
construed to limit the right of an individual to make any 
disclosure--
          (1) protected or authorized under section 2302(b)(8) 
        or 7211 of title 5, United States Code;
          (2) protected under any other Federal or State law 
        that shields the disclosing individual against 
        retaliation or discrimination for having made the 
        disclosure in the public interest; or
          (3) to the Special Counsel of an agency, the 
        inspector general of an agency, or any other employee 
        designated by the head of an agency to receive 
        disclosures similar to the disclosures described in 
        paragraphs (1) and (2).
  (c) Publication of Rights.--The Secretary, in partnership 
with industry associations and labor organizations, shall make 
publicly available both physically and online the rights that 
an individual who discloses information, including security-
sensitive information, regarding problems, deficiencies, or 
vulnerabilities at a covered chemical facility would have under 
Federal whistleblower protection laws or this title.
  [(d) Protected Information.--All information contained in a 
report made under this subsection (a) shall be protected in 
accordance with section 2103.]

SEC. 2106. RELATIONSHIP TO OTHER LAWS.

  (a) Other Federal Laws.--Nothing in this title shall be 
construed to supersede, amend, alter, or affect any Federal law 
that--
          (1) regulates (including by requiring information to 
        be submitted or made available) the manufacture, 
        distribution in commerce, use, handling, sale, other 
        treatment, or disposal of chemical substances or 
        mixtures; or
          (2) authorizes or requires the disclosure of any 
        record or information obtained from a chemical facility 
        under any law other than this title.
  (b) States and Political Subdivisions.--This title shall not 
preclude or deny any right of any State or political 
subdivision thereof to adopt or enforce any regulation, 
requirement, or standard of performance with respect to 
chemical facility security that is more stringent than a 
regulation, requirement, or standard of performance issued 
under this section, or otherwise impair any right or 
jurisdiction of any State with respect to chemical facilities 
within that State, unless there is an actual conflict between 
this section and the law of that State.

           *       *       *       *       *       *       *


SEC. 2110. CHEMICAL SECURITY ADVISORY COMMITTEE.

  (a) Establishment.--The Secretary shall establish a standing 
Chemical Security Advisory Committee to advise the Secretary on 
the implementation of this title.
  (b) Membership.--
          (1) In general.--The Advisory Committee shall be 
        comprised of 12 members selected by the Secretary, 
        which shall include at least one individual who is a 
        multi-disciplinary stakeholder with scientific or other 
        expertise representing each of the following:
                  (A) Industry.
                  (B) Academia.
                  (C) Labor.
                  (D) Emergency response providers.
                  (E) Local emergency planners.
                  (F) Environmental, community, or public 
                health advocates, particularly for communities 
                with high concentrations of covered chemical 
                facilities.
                  (G) Cybersecurity and information policy.
          (2) Terms.--Each member shall be appointed for an 
        initial term of three years and may be reappointed for 
        one additional three-year term.
          (3) Chair.--The Committee shall have a chair, who 
        shall be selected by the members of the Committee.
          (4) Pay.--Members shall serve without pay.
          (5) Quorum.--A majority of members of the Advisory 
        Committee shall constitute a quorum but a lesser number 
        may hold hearings.
  (c) Subcommittees.--The Advisory Committee may establish 
subcommittees to assesses and recommend improvements to the 
risk tiering methodology for chemical facilities, the risk-
based performance standards for chemical facilities, risk 
reduction strategies, and other aspects of the program under 
this title as the Secretary determines appropriate.
  (d) Information Protection.--Members of Advisory Committee 
shall maintain information protections pursuant to section 2103 
of this Act. Any member who needs to access classified 
information to carry out assessments and recommendations for 
improving the risk tiering methodology for chemical facilities 
shall have an appropriate security clearance.
  (e) Annual Report.--
          (1) Submission to the secretary.--Not later than 
        January 30 each year, the chair shall submit to the 
        Secretary a report on the activities of the Committee 
        during the year preceding the year during which the 
        report is submitted.
          (2) Submission to congress.--Not later than 45 days 
        after receiving a report from the Advisory Committee 
        under paragraph (1), the Secretary shall provide to the 
        Committees on Homeland Security and Energy and Commerce 
        of the House of Representatives and the Committee on 
        Homeland Security and Governmental Affairs of the 
        Senate a copy of the report together with any 
        Secretarial feedback on the report.
  (f) Applicability of FACA.--The Federal Advisory Committee 
Act (5 U.S.C. App.) shall not apply to the Committee 
established under this section.

           *       *       *       *       *       *       *

                              ----------                              


PROTECTING AND SECURING CHEMICAL FACILITIES FROM TERRORIST ATTACKS ACT 
                                OF 2014



           *       *       *       *       *       *       *
SEC. 5. TERMINATION.

  The authority provided under title XXI of the Homeland 
Security Act of 2002, as added by section 2(a), shall terminate 
on [the date that is 5 years and 3 months after the effective 
date of this Act]May 1, 2025.

                             MINORITY VIEWS

    H.R. 3256 reauthorizes the Chemical Facilities Anti-
Terrorism Standards (CFATS) program for five years and makes 
numerous changes to the program. Unfortunately, these changes 
are not representative of the program's terrorism focus. 
Instead, they create unnecessary administrative and regulatory 
burdens on the Department of Homeland Security (DHS) and 
industry with no demonstrable improvement in chemical security.
    H.R. 3256 lowers the threshold for the risk assessment 
process DHS uses to help determine which facilities need to be 
regulated. Instead of considering severe economic consequences 
and the potential for loss of human life, the bill would 
require DHS to consider any consequence of an attack on a 
chemical facility. This change moves the CFATs program away 
from its nexus to terrorism. It will cause DHS to waste time 
and considerable resources trying to determine which of the 
numerous and potentially frivolous consequences of an attack 
should be considered. In every other security program, the 
consequences of a terrorist attack are measured in severe 
economic impacts and human lives lost. Under this bill, such 
consequences could be measured in dead shrubbery and lost 
casino revenues.
    The bill expands an existing whistleblower protection 
program by requiring DHS to issue new regulations to 
investigate acts of employee retaliation and penalize employers 
it determines guilty of such acts. DHS has informed the 
Committee that it lacks the resources and expertise to 
implement such a program. Since it first started documenting 
whistleblower complaints in 2014, DHS has received less than 
ten complaints. In each of those cases, there have been no 
reports of retaliation taken against the employee. Finally, 
other homeland security programs established under the Maritime 
Transportation Security Act and Aviation and Transportation 
Security Act, have no whistleblower programs. This begs the 
question as to why CFATS needs a whistleblower program in the 
first place.
    This bill ignores fundamental security planning principles. 
Rather than allowing chemical facilities to consult with 
employees ``to the greatest extent practicable,'' it mandates 
employee and union consultation in the development of a 
facility's site security plan (SSP) regardless of a given 
employee's need to know sensitive security details. Consider 
this mandate in the context of a small facility with only a few 
employees, which is not uncommon for chemical facilities 
regulated under CFATS. One employee works offsite and only 
handles the finances and has nothing to do with security of the 
facility, yet, this employee must be consulted. Or consider 
that the only union on site is a janitorial union, which is not 
associated with the site security. Under this bill, the 
facility is required to consult with a member of the janitorial 
union to create the SSP. The effect of this provision is to 
increase the number of people that have potentially vulnerable 
or damaging information about the facility. That increases a 
facility's risk and undermines the entire purpose of the CFATS 
program.
    The bill includes another provision which would result in 
sensitive security information being divulged to individuals 
without a valid security ``need-to-know''. It creates a 
chemical security advisory committee populated with 
environmentalists and community activists that have little, if 
any, understanding of the complexities of chemical security. It 
provides these unqualified'' individuals with access to 
sensitive security information and charges them with providing 
advice to the Secretary on how to assess the security risks of 
chemical facilities under the program.
    Finally, in a break from past reauthorizations, this bill 
is moving forward without an agreement with the other committee 
of jurisdiction over the CFATS program, the Energy and Commerce 
Committee. Majority and minority staff of the Energy and 
Commerce Committee raised numerous issues with the bill that 
have yet to be resolved.
    Outstanding policy and procedural issues threaten this 
legislation's ability to pass the House and receive favorable 
consideration in the Senate. For these reasons, Committee 
Republicans cannot support the bill at this time.

                                                       Mike Rogers.