It’s been 10 years since the Department of Homeland Security updated cyber security standards under a program designed to strengthen compliance at the nation’s high-risk chemical facilities, potentially leaving these facilities vulnerable to cyber threats, the Government Accountability Office (GAO) says in a new report.

DHS in 2009 introduced guidance, including performance standards for cyber security, for chemical facilities to meet and for DHS personnel to use in evaluating compliance against the guidance, says the report, Critical Infrastructure Protection: Actions Needed to Enhance DHS Oversight of Cybersecurity at High-Risk Chemical Facilities (GAO-20-453). It says there are about 3,300 facilities that fall under the 2007 Chemical Facility Anti-Terrorism Standards (CFATS) program.

“However, the CFATS program has not reviewed or updated its guidance for cybersecurity and other risks in more than 10 years,” GAO says.

The report adds that “CFATS officials stated that the program does not have a process to routinely review its cybersecurity guidance to ensure that it is up to date with current threats and technological advances. Without such a process, facilities could be more vulnerable to cyber-related threats.”

GAO makes six recommendations, all agreed to by DHS, including having the department’s Cybersecurity and Infrastructure Security Agency implement a process to review and possibly revise cyber security guidance at regular intervals, assess how well cyber security training is helping to achieve program goals, and develop a plan to evaluate the effectiveness of the training.