The Office of Infrastructure Protection

Transcription

1 The Office of Infrastructure Protection National Protection and Programs Directorate Department of Homeland Security Chemical Facility Anti-Terrorism Standards (CFATS) Update for Roof Coatings Manufacturers Association Members August 2015

2 Why Chemical Facility Security? The Homeland faces a persistent and evolving threat from terrorist groups and cells. Chemical facilities potentially are attractive targets as: A successful attack on some chemical facilities could potentially cause a significant number of deaths and injuries. Certain chemical facilities possess materials that could be stolen or diverted and used as or converted into weapons for use offsite. In 2007, Congress authorized the Department to regulate security at highrisk chemical facilities. The Department developed the Chemical Facility Anti-Terrorism Standards (CFATS), 6 CFR Part 27, to implement this authority. In December 2014, Congress passed H.R. 4007: Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014 (The CFATS Act of 2014). The President signed the CFATS Act of 2014 into law on December 18,

3 The CFATS Act of 2014 H.R. 4007: Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014 Reauthorizes the CFATS program for an additional four years The act eliminates uncertainty and provides stability for industry to plan and invest in CFATS-related security measures The CFATS Act of 2014 preserves most of the existing regulations and provides additional provisions and changes to existing authorities to include: Expedited Approval Program for facilities in Tier 3 and Tier 4 Changes to the Personnel Surety Program Emergency Enforcement To read the Act in its entirety, please visit 3

4 Who Is Regulated? To determine if a facility is subject to CFATS, DHS looks at the unique circumstances faced by the facility, starting with the quantities of Chemicals of Interest (COI) the facility possesses. Potential regulation is not based on the facility type, meaning that many different types of facilities may be subject to CFATS, including: Chemical manufacturers Hospitals Warehouse and distributors Semi-conductor manufacturers Chemical repackaging operations Paint manufacturers Oil and gas operations Colleges and universities Congress did exempt several types of facilities from regulation: Facilities regulated under the Maritime Transportation Security Act (MTSA) or regulated by the Nuclear Regulatory Commission (NRC) Facilities owned or operated by the Departments of Defense or Energy Public water systems and water treatment works regulated under certain federal water quality laws 4

5 CFATS SSP/ASP Process Initiate CFATS Process Complete Top-Screen Complete SVA or ASP Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Facility with Chemicals of Interest (COI) at or above the Screening Threshold Quantity (STQ) recognizes the need to submit a Top- Screen and completes CVI training and CSAT user registration. CFATS Help Desk registers the facility and provides a user ID and password. Facility completes Top-Screen, identifying chemicals and quantities and providing other relevant information. DHS reviews Top- Screen information and determines the facility's Preliminary Tier status or determines that facility is not high-risk. DHS sends facility a Preliminary Tier letter and deadline for completing a Security Vulnerability Assessment (SVA) or an Alternative Security Program (ASP for Tier 4 facilities, if they choose). If DHS has determined that the facility is not high-risk, the facility is sent a letter releasing it from further regulation. Covered (high-risk) facility completes an SVA or ASP to provide more detailed information about COI and vulnerability to attack. SVA/ASP Review Complete SSP or ASP Authorization Inspection & Approval Step 7 Step 8 Step 9 Step 10 Step 11 Step 12 DHS reviews SVA or ASP information provided and determines facility s Final Tier or that facility is not high-risk. DHS notifies the facility of its final status and tiered facilities are provided deadlines for completing an Site Security Plan (SSP) or ASP. Facility completes an SSP or ASP detailing sitespecific security measures to satisfy applicable Risk- Based Performance Standards. DHS reviews SSP or ASP and (a) issues authorization letter for SSP or ASP and schedules an inspection or (b) issues notice to resolve deficiencies. Failure to resolve deficiencies may result in disapproval. DHS conducts authorization inspection, reviews all available information, and either issues a Letter of Approval for the SSP or ASP or issues notice to the facility to resolve deficiencies. Failure to resolve deficiencies may result in disapproval. If SSP or ASP is approved, DHS conducts compliance inspections on a regular and recurring basis to verify continued compliance with the approved SSP or ASP.

6 Key CFATS Tools Chemical Security Assessment Tool (CSAT): CSAT is the backbone of the CFATS program, and currently includes four primary applications: User Registration Top-Screen SVA SSP Chemical-terrorism Vulnerability Information (CVI): CVI is the information protection category used to ensure secure handling of certain sensitive CFATS-related information. Except in emergency or exigent circumstances, only CVI authorized users with a need-to-know are permitted to access the CSAT Top-Screen, SVA, and SSP, certain correspondence, and other types CVI as specified in CFATS. Persons potentially eligible to access CVI include facility employees; federal employees, contractors, and grantees; and state/local government employees. DHS provides online CVI training and authorization. 6

7 Risk-Based Performance Standards (RBPS) Under the CFATS Act of 2014, a CFATS-covered facility must submit for DHS approval an SSP or, if the facility chooses, an ASP that contains security measures that meet all applicable RBPS developed by DHS. RBPS are non-prescriptive, and thus provide facilities with substantial flexibility, including the ability to leverage existing measures where appropriate. Compliance with the RBPS will be tailored to fit each facility s circumstances, including tier level, security issues, and physical and operating environments. Consequently, measures appropriate to meet an RBPS for one type of facility will not necessarily be appropriate for anther type of facility (e.g., DHS would not expect a covered university to necessarily employ the same type of measures as a large chemical manufacturer). CFATS currently has 18 RBPS, addressing areas such as perimeter security; shipping, receipt, and storage; cybersecurity; personnel surety; training; and recordkeeping. 7

8 Site Security Plan (SSP) Review and Inspections DHS uses a two-step process to determine if an SSP (or ASP) meets all applicable RBPS for a covered facility s tier and security-vulnerability issues. An SSP (or ASP) is reviewed by DHS and if it appears to meet the applicable RBPS, the facility will receive a Letter of Authorization and an inspection is scheduled. If it does not meet the applicable RBPS, the facility will be provided a letter identifying deficiencies that must be resolved prior to authorization or final approval. After a facility receives a Letter of Authorization, DHS will inspect the facility for compliance with CFATS and will either issue a Letter of Approval approving the SSP (or ASP) or issue a notice of deficiencies that must be resolved prior to final approval. Inspections typically take approximately one to two days and involve two or more inspectors. Facilities should be prepared to show all security elements in the authorized SSP (or ASP) during an inspection. 8

9 Program Status: Covered Facilities DHS has received over 50,000 Top-Screens. Of the Top-Screens received and analyzed, DHS issued preliminary tiers to more than 8,700 facilities. As of August 2015, CFATS covers over 3,230 facilities across all 50 states. 9

10 Program Status: SSPs and Inspections Site Security Plans (SSPs): DHS has issued letters of authorization to an estimated 3,140 facilities for their SSPs/Alternative Security Programs (ASPs) and roughly 2,030 have been approved. Authorization Inspections (AIs): The first AI was conducted during the summer of As of August 2015, approximately 2,570 AIs have been conducted. Compliance Assistance Visits (CAVs): DHS continues to conduct CAVs to assist facilities with RBPS compliance, and has completed an estimated 1,990 CAVs. 10

11 Program Status: Enforcement Administrative Orders: To date, DHS has issued 67 Administrative Orders under CFATS to facilities that failed to submit a SVA or SSP within the prescribed deadline and failed to meet all of the requirements for authorization. Compliance Inspections: In September 2013, DHS began conducting compliance inspections to verify facilities are implementing the measures contained in their approved SSP. As of August 2015, DHS has conducted approximately 110 CIs. 11

12 Program Status: Other Results Since the inception of CFATS, more than 3,000 chemical facilities have eliminated, reduced, or otherwise made modifications to their holdings of potentially dangerous chemicals and are now no longer considered high-risk. 12

13 ISCD Progress ISCD is working to continuously strengthen the program and improve implementation of CFATS. Progress includes: Improving the SSP review process and increasing the pace of SSP reviews Refining inspector tools and training Reinvigorating industry engagement on the development of ASP templates Improving internal communications and organizational culture Preparing for an external peer review of the CFATS risk assessment methodology 13

14 Available Resources Outreach: DHS outreach for CFATS is a continuous effort to educate stakeholders on the program. To request a CFATS presentation or a CAV, individuals may submit a request through the program Web site, located at or by ing DHS at CFATS@dhs.gov. CFATS Help Desk: DHS has developed a CFATS Help Desk that individuals can call or with questions on the CFATS program. Hours of Operation are 8:30 AM 5:00 PM, Monday through Friday The CFATS Help Desk toll-free number is The CFATS Help Desk address is csat@dhs.gov CFATS Web site: For CFATS Frequently Asked Questions (FAQs), CVI training, and other useful CFATS-related information, please go to 14

15 For more information visit: Infrastructure Security Compliance Division Office of Infrastructure Protection