The Office of Infrastructure Protection

Transcription

1 The Office of Infrastructure Protection National Protection and Programs Directorate Department of Homeland Security Chemical Facility Anti-Terrorism Standards (CFATS) and Ammonium Nitrate Security Program Updates December 2013

2 Why Chemical Facility Security? The Homeland faces a persistent and evolving threat from terrorist groups and cells. Chemical facilities potentially are attractive targets as: A successful attack on some chemical facilities could potentially cause a significant number of deaths and injuries. Certain chemical facilities possess materials that could be stolen or diverted and used as or converted into weapons for use offsite. In Section 550 of the DHS Appropriations Act of 2007, Congress authorized the Department to regulate security at high-risk chemical facilities. Under Section 550, covered facilities must perform Security Vulnerability Assessments (SVAs) and implement Site Security Plans (SSPs) containing security measures that meet DHS-defined Risk-Based Performance Standards (RBPS). The Department developed the Chemical Facility Anti-Terrorism Standards (CFATS), 6 CFR Part 27, to implement this authority. 2

3 Who Is Regulated? To determine if a facility is subject to CFATS, DHS looks at the unique circumstances faced by the facility, starting with the quantities of Chemicals of Interest (COI) the facility possesses. Potential regulation is not based on the facility type, meaning that many different types of facilities may be subject to CFATS, including: Chemical manufacturers Hospitals Warehouse and distributors Semi-conductor manufacturers Chemical repackaging operations Paint manufacturers Oil and gas operations Colleges and universities Congress did exempt several types of facilities from regulation: Facilities regulated under the Maritime Transportation Security Act (MTSA) or regulated by the Nuclear Regulatory Commission (NRC) Facilities owned or operated by the Departments of Defense or Energy Public water systems and water treatment works regulated under certain federal water quality laws 3

4 CFATS Process Initiate CFATS Process Complete Top Screen Complete SVA or ASP Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Facility with Chemicals of Interest (COI) at or above the Screening Threshold Quantity (STQ) recognizes the need to submit a Top Screen and completes CVI training and CSAT user registration. CFATS Help Desk registers the facility and provides a user ID and password. Facility completes Top Screen, identifying chemicals and quantities and providing other relevant information. DHS reviews Top Screen information and determines the facility's Preliminary Tier status or determines that facility is not high risk. DHS sends facility a Preliminary Tier letter and deadline for completing a Security Vulnerability Assessment (SVA) or an Alternative Security Program (ASP for Tier 4 facilities, if they choose). If DHS has determined that the facility is not high risk, the facility is sent a letter releasing it from further regulation. Covered (high risk) facility completes an SVA or ASP to provide more detailed information about COI and vulnerability to attack. SVA/ASP Review Complete SSP or ASP Authorization Inspection & Approval Step 7 Step 8 Step 9 Step 10 Step 11 Step 12 DHS reviews SVA or ASP information provided and determines facility s Final Tier or that facility is not high risk. DHS notifies the facility of its final status and tiered facilities are provided deadlines for completing an Site Security Plan (SSP) or ASP. Facility completes an SSP or ASP detailing sitespecific security measures to satisfy applicable Risk Based Performance Standards. DHS reviews SSP or ASP and (a) issues authorization letter for SSP or ASP and schedules an inspection or (b) issues notice to resolve deficiencies. Failure to resolve deficiencies may result in disapproval. DHS conducts authorization inspection, reviews all available information, and either issues a Letter of Approval for the SSP or ASP or issues notice to the facility to resolve deficiencies. Failure to resolve deficiencies may result in disapproval. If SSP or ASP is approved, DHS conducts compliance inspections on a regular and recurring basis to verify continued compliance with the approved SSP or ASP.

5 Key CFATS Tools Chemical Security Assessment Tool (CSAT): CSAT is the backbone of the CFATS program, and currently includes four primary applications: User Registration Top-Screen SVA SSP Chemical-terrorism Vulnerability Information (CVI): CVI is the information protection category used to ensure secure handling of certain sensitive CFATS-related information. Except in emergency or exigent circumstances, only CVI authorized users with a need-to-know are permitted to access the CSAT Top-Screen, SVA, and SSP, certain correspondence, and other types CVI as specified in CFATS. Persons potentially eligible to access CVI include facility employees; Federal employees, contractors, and grantees; and State/local government employees. DHS provides online CVI training and authorization. 5

6 Risk-Based Performance Standards (RBPS) Under Section 550, a CFATS-covered facility must submit for DHS approval an SSP or, if the facility chooses, an ASP that contains security measures that meet all applicable RBPS developed by DHS. RBPS are non-prescriptive, and thus provide facilities with substantial flexibility, including the ability to leverage existing measures where appropriate. Compliance with the RBPS will be tailored to fit each facility s circumstances, including tier level, security issues, and physical and operating environments. Consequently, measures appropriate to meet an RBPS for one type of facility will not necessarily be appropriate for anther type of facility (e.g., DHS would not expect a covered university to necessarily employ the same type of measures as a large chemical manufacturer). CFATS currently has 18 RBPS, addressing areas such as perimeter security; shipping, receipt, and storage; cybersecurity; personnel surety; training; and recordkeeping. 6

7 Site Security Plan (SSP) Review and Inspections DHS uses a two-step process to determine if an SSP (or ASP) meets all applicable RBPS for a covered facility s tier and security-vulnerability issues. An SSP (or ASP) is reviewed by DHS and if it appears to meet the applicable RBPS, the facility will receive a Letter of Authorization and an inspection is scheduled. If it does not meet the applicable RBPS, the facility will be provided a letter identifying deficiencies that must be resolved prior to authorization or final approval. After a facility receives a Letter of Authorization, DHS will inspect the facility for compliance with CFATS and will either issue a Letter of Approval approving the SSP (or ASP) or issue a notice of deficiencies that must be resolved prior to final approval. Inspections typically take approximately one week and involve two or more inspectors. Facilities should be prepared to show all security elements in the authorized SSP (or ASP) during an inspection. 7

8 Program Status: Covered Facilities DHS has received over 46,000 Top-Screens. Of the Top-Screens received and analyzed, DHS issued preliminary tier notification and SVA due dates to over 8,500 facilities. DHS has received over 8,500 SVAs and has reviewed nearly all of them. As of December 2, 2013, CFATS covers 4,285 facilities (3,374 final tiered facilities, 911 preliminarily tiered facilities) across all 50 states. Tier Final Tiered Facilities Facilities Awaiting Final Tier Total All statistics are current as of December 2,

9 Program Status: SSPs and Inspections Site Security Plans (SSPs): DHS has received and is in the process of reviewing an estimated 4,600 SSPs and Alternative Security Programs (ASPs); of these, 903 SSPs have been authorized and 381 have been approved. Authorization Inspections (AIs): The first AI was conducted during the summer of As of December 2, 2013, 589 AIs have been conducted. Compliance Assistance Visits (CAVs): DHS continues to conduct CAVs to assist facilities with RBPS compliance, and has completed an estimated 1363 CAVs. DHS formerly conducted Preliminary Authorization Inspections (PAIs) as a means of improving the SSP submittals, with the goal of helping facilities receive a Letter of Authorization. These are now covered under CAVs. 9

10 Program Status: Enforcement Administrative Orders: To date, DHS has issued 66 Administrative Orders under CFATS to facilities that failed to submit an SSP within the prescribed deadline. All 66 facilities came into compliance as a result of the Administrative Orders, and without the need for the issuance of penalty orders by DHS. Redeterminations: DHS has completed over 600 Requests for Redetermination that have resulted in either the non-regulation or re-tiering of many facilities. 10

11 Program Status: Other Results Since the inception of CFATS, more than 3,000 chemical facilities have eliminated, reduced, or otherwise made modifications to their holdings of potentially dangerous chemicals and are now no longer considered high-risk. 11

12 ISCD Progress ISCD is working to continuously strengthen the program and improve implementation of CFATS. Progress includes: Improving the SSP review process and increasing the pace of SSP reviews Refining inspector tools and training Reinvigorating industry engagement on the development of ASP templates Improving internal communications and organizational culture Preparing for an external peer review of the CFATS risk assessment methodology 12

13 CFATS-MTSA Harmonization DHS has chartered a CFATS-MTSA Harmonization Working Group that is composed of Headquarters representatives from the National Protection and Programs Directorate (NPPD) and the U.S. Coast Guard. The objectives of the working group are to: Analyze the security requirements under both programs; Enhance a comprehensive National Risk Picture; Assist information sharing between the agencies; and Develop joint guidelines and directives where appropriate. The U.S. Coast Guard and NPPD are working cooperatively to develop a proposed rulemaking that would, if adopted, require MTSA facilities to submit a Top-Screen when the facilities meet the Top-Screen submission criteria. Any regulatory change to either program would be published in the Federal Register for public review and comment. 13

14 Available Resources Outreach: DHS outreach for CFATS is a continuous effort to educate stakeholders on the program. To request a CFATS presentation or a CAV, individuals may submit a request through the program Web site, located at or by ing DHS at CFATS@dhs.gov. CFATS Help Desk: DHS has developed a CFATS Help Desk that individuals can call or with questions on the CFATS program. Hours of Operation are 8:30 AM 5:00 PM, Monday through Friday. The CFATS Help Desk toll-free number is The CFATS Help Desk address is csat@dhs.gov. CFATS Web site: For CFATS Frequently Asked Questions (FAQs), CVI training, and other useful CFATS-related information, please go to 14

15 For more information visit: Jim Harksen Infrastructure Security Compliance Division Office of Infrastructure Protection

16 Ammonium Nitrate: Statutory Authority December 26, 2007: President signed the 2008 Consolidated Appropriations Act that includes Section 563, Secure Handling of Ammonium Nitrate. This statute directs DHS to regulate the sale and transfer of ammonium nitrate by an ammonium nitrate facility...to prevent the misappropriation or use of ammonium nitrate in an act of terrorism. The statute requires DHS to: Establish threshold quantities of ammonium nitrate in mixtures; Register certain ammonium nitrate sellers and purchasers, and vet against the TSDB; Require ammonium nitrate facilities to maintain records on ammonium nitrate sales or transfers for two (2) years; Require ammonium nitrate facilities to report theft or loss of ammonium nitrate; and Inspect/audit facilities records. 16

17 Ammonium Nitrate Security Program Status On August 3, 2011, DHS published the Ammonium Nitrate Security Program Notice of Proposed Rulemaking (NPRM), which invited comments that will be used to inform DHS s development of the final rule. Comments on the proposed rule were due to DHS on or before December 1, Comments regarding information to be collected were due to OMB on or before October 3, During the comment period, DHS held several listening sessions across the country in locations with a high usage of ammonium nitrate. This provided potentially affected stakeholders an opportunity to comment on the NPRM. In addition, two Webinars were held for government stakeholders. Additional information on the Ammonium Nitrate Security Program can be found on the DHS web site at 17

18 Agricultural Production Facilities (APF) In January 2008, DHS indefinitely extended the Top-Screen due date for agricultural production facilities (APFs) in order to gather information and determine whether any modification to the Top-Screen requirement for APFs might be warranted. As part of our effort to better understand COI at APFs, in 2010 DHS surveyed 1,230 CFATS-tiered facilities that may provide COI-containing products to APFs. Based on the results of the survey, it appears possible that most farms, ranches, and other APFs would not be high-risk chemical facilities. The Department has not made a final determination as to whether any changes to CFATS regarding APFs may be warranted. In the meantime, DHS will work with the U.S. Department of Agriculture and other stakeholders to develop and distribute voluntary guidance for APFs on: Preventing theft or diversion of COI used in the agriculture sector; and Identifying and reporting suspicious activities and orders. 18