The Office of Infrastructure Protection National Protection and Programs Directorate Department of Homeland Security Overview of the Chemical Facility Anti-Terrorism Standards (CFATS) November 2012
Why Chemical Facility Security? The Homeland faces a persistent and evolving threat from terrorist groups and cells. Chemical facilities potentially are attractive targets as: A successful attack on some chemical facilities could potentially cause a significant number of deaths and injuries. Certain chemical facilities possess materials that could be stolen or diverted and used as or converted into weapons for use offsite. In 2006, Congress authorized the Department to regulate security at highrisk chemical facilities. Covered facilities must perform Security Vulnerability Assessments (SVAs) and implement Site Security Plans (SSPs) containing security measures that meet DHS-defined Risk-Based Performance Standards (RBPS). The Department developed the Chemical Facility Anti-Terrorism Standards (CFATS), 6 CFR Part 27, to implement this authority. 2
Who Is Regulated? To determine if a facility is subject to CFATS, DHS looks at the unique circumstances faced by the facility, starting with the quantities of Chemicals of Interest (COI) the facility possesses. Potential regulation is not based on the facility type, meaning that many different types of facilities may be subject to CFATS, including: Chemical manufacturers Warehouse and distributors Chemical repackaging operations Oil and gas operations Hospitals Semi-conductor manufacturers Paint manufacturers Colleges and universities 3
CFATS Process Initiate CFATS Process Complete Top-Screen Complete SVA or ASP Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Facility with Chemicals of Interest (COI) at or above the Screening Threshold Quantity (STQ) recognizes the need to submit a Top- Screen and completes CVI training and CSAT user registration. CFATS Help Desk registers the facility and provides a user ID and password. Facility completes Top-Screen, identifying chemicals and quantities and providing other relevant information. DHS reviews Top- Screen information and determines the facility's Preliminary Tier status or determines that facility is not high-risk. DHS sends facility a Preliminary Tier letter and deadline for completing a Security Vulnerability Assessment (SVA) or an Alternative Security Program (ASP for Tier 4 facilities, if they choose). If DHS has determined that the facility is not high-risk, the facility is sent a letter releasing it from further regulation. Covered (high-risk) facility completes an SVA or ASP to provide more detailed information about COI and vulnerability to attack. SVA/ASP Review Complete SSP or ASP Authorization Inspection & Approval Step 7 Step 8 Step 9 Step 10 Step 11 Step 12 DHS reviews SVA or ASP information provided and determines facility s Final Tier or that facility is not high-risk. DHS notifies the facility of its final status and tiered facilities are provided deadlines for completing an Site Security Plan (SSP) or ASP. Facility completes an SSP or ASP detailing sitespecific security measures to satisfy applicable Risk- Based Performance Standards. DHS reviews SSP or ASP and (a) issues authorization letter for SSP or ASP and schedules an inspection or (b) issues notice to resolve deficiencies. Failure to resolve deficiencies may result in disapproval. DHS conducts authorization inspection, reviews all available information, and either issues a Letter of Approval for the SSP or ASP or issues notice to the facility to resolve deficiencies. Failure to resolve deficiencies may result in disapproval. If SSP or ASP is approved, DHS conducts compliance inspections on a regular and recurring basis to verify continued compliance with the approved SSP or ASP.
Site Security Plan (SSP) Review and Inspections DHS uses a two-step process to determine if an SSP (or ASP) meets all applicable risk-based performance standards (RBPS). An SSP (or ASP) is reviewed by DHS If it appears to meet the applicable RBPS, the facility will receive a Letter of Authorization and an inspection is scheduled. If it does not meet the applicable RBPS, the facility will receive a letter identifying deficiencies that must be resolved prior to authorization or final approval. After a facility receives a Letter of Authorization, DHS will inspect the facility for compliance with CFATS and will either issue a Letter of Approval approving the SSP (or ASP) or issue a notice of deficiencies that must be resolved prior to final approval. Inspections typically take approximately one week and involve two or more inspectors. Facilities should be prepared to show all security elements in the authorized SSP (or ASP) during an inspection. 5
Risk-Based Performance Standards (RBPS) A CFATS-covered facility must submit for DHS approval an SSP or, if the facility chooses, an ASP that contains security measures that meet all applicable RBPS. RBPS are non-prescriptive, and thus provide facilities with substantial flexibility, including the ability to leverage existing measures where appropriate. Compliance with the RBPS will be tailored to fit each facility s circumstances, including tier level, security issues, and physical and operating environments. Consequently, measures appropriate to meet an RBPS for one type of facility will not necessarily be appropriate for anther type of facility (e.g., DHS would not expect a covered university to necessarily employ the same type of measures as a large chemical manufacturer). CFATS currently has 18 RBPS, addressing areas such as perimeter security; shipping, receipt, and storage; cybersecurity; personnel surety; training; and recordkeeping. 6
Key CFATS Tools Chemical Security Assessment Tool (CSAT): CSAT is the backbone of the CFATS program, and currently includes four primary applications: User Registration Top-Screen SVA SSP Chemical-terrorism Vulnerability Information (CVI): CVI is the information protection category used to ensure secure handling of certain sensitive CFATS-related information. Except in emergency or exigent circumstances, only CVI authorized users with a need-to-know are permitted to access the CSAT Top-Screen, SVA, and SSP, certain correspondence, and other types CVI as specified in CFATS. Persons potentially eligible to access CVI include facility employees; Federal employees, contractors, and grantees; and State/local government employees. DHS provides online CVI training and authorization. 7
Program Status: Covered Facilities DHS has received over 41,000 Top-Screens. Of the Top-Screens received and analyzed, DHS issued preliminary tier notification and SVA due dates to over 7,800 facilities. DHS has received over 8,000 SVAs and has reviewed nearly all of them. As of September 04, 2012, CFATS covers 4,433 facilities (3,660 final tiered facilities, 773 preliminarily tiered facilities) across all 50 states. Tier Final Tiered Facilities Facilities Awaiting Final Tier 1 114 7 2 452 51 3 1069 174 4 2025 541 Total 3660 773 All statistics are current as of September 4, 2012 8
Program Status: Other Results Since the inception of CFATS, more than 2,700 chemical facilities have eliminated, reduced, or otherwise made modifications to their holdings of potentially dangerous chemicals and are now no longer considered high-risk. 9
Available Resources Outreach: DHS outreach for CFATS is a continuous effort to educate stakeholders on the program. To request a CFATS presentation or a CAV, individuals may submit a request through the program Web site, located at www.dhs.gov/chemicalsecurity, or by e-mailing DHS at CFATS@dhs.gov. CFATS Help Desk: DHS has developed a CFATS Help Desk that individuals can call or email with questions on the CFATS program. Hours of Operation are 7:00 AM 7:00 PM, Monday through Friday. The CFATS Help Desk toll-free number is 1-866-323-2957. The CFATS Help Desk email address is csat@dhs.gov. CFATS Web site: For CFATS Frequently Asked Questions (FAQs), CVI training, and other useful CFATS-related information, please go to www.dhs.gov/chemicalsecurity. 10
For more information visit: www.dhs.gov/criticalinfrastructure Todd Klessman Infrastructure Security Compliance Division Office of Infrastructure Protection todd.klessman@hq.dhs.gov