Chemical Facility Anti Terrorism Standards – Background, Requirements and Recent Updates

• By: Staff Editor
• Date: July 29, 2010

Background

Post the 9/11 attacks and the formation of the Department of Homeland Security (DHS) it was decided that chemical facilities around the US needed to improve their security and protect vital information. As a result, Congress passed the Department of Homeland Security Appropriations Act in 2007 which gave the DHS authority to regulate high-risk chemical facilities in the US and also develop and implement chemical facility regulations. The Chemical Facility Anti Terrorism Standards (CFATS) was published in April 2007 and took effect from June of that year.

CFATS broadly requires high risk chemical facilities to enhance their security and establish new procedures for protecting chemical facility security information.

How are facilities deemed high risk?

The DHS determines whether a facility is high risk on a facility–by–facility basis. The classification of a facility as high risk generally depends on the type and amount of chemicals that it possesses.
 

CFATS Requirements

Those facilities that are covered by CFATS have to go through the following six phases in order to achieve regulatory compliance:

• Submission of a Top–Screen
• Notification of a preliminary risk-tier
• Submission of a Security Vulnerability Assessment (SVA)
• DHS notification of its final tier determination
• Submission of a Site Security Plan (SSP)
• Ongoing compliance.

Top-Screen Phase:

Facilities (including refineries and petrochemical plants) that possess any of the chemicals listed in Appendix A in specific amounts with the potential to create significant human lives or health consequences were required to complete the “Top-Screen” risk assessment through a secure web portal, named the Chemical Security Assessment Tool (CSAT). This process is used by the DHS to separate low risk and high risk facilities.

Notification of Preliminary Risk Tier

Facilities can be ranked as any one of four risk tiers (Tier 1 being highest risk and Tier 4 being low risk), depending on the DHS’ categorization. The DHS notifies owners and facilities of their high risk classification and their risk tier by letter. Facilities that do not "present a high level of security risk" are not subject to CFATS. These facilities have no further regulatory obligation, although a material modification at the facility may prompt further inquiry and possibly require resubmission of a Top-Screen. Facilities that do "present a high level of security risk" are subject to additional review and must complete an SVA.

Submission of Security Vulnerability Assessments (SVA)

The DHS requires high risk facilities to conduct Security Vulnerability Assessments (SVAs) and develop Site Security Plans (SSPs), and to submit them for approval. Tiered facilities submit SVAs, which DHS uses to determine a facility’s final tier.

Final tier determinations

DHS uses the SVA data to make final tier determinations. Therefore, some facilities no longer be covered by CFATs or may be more high risk. 

As of December 2010, DHS has classified approximately 218 facilities as final Tier 1s, 535 facilities as final Tier 2s, 1,126 facilities as final Tier 3s, and 2,215 facilities as final Tier 4s. 3 preliminary Tier 1 facilities are awaiting final tier determinations, as are 38 preliminary Tier 2s, 146 preliminary Tier 3s, and 474 preliminary Tier 4s.

Site Security Plan (SSP)

Once facilities receive their final tier notification, they have 120 days to submit an SSP to DHS via the CSAT portal. The SSP must, among other things, identify and describe how each security measure will meet, as applicable, the eighteen Risk-Based Performance Standards (RBPSs). These include:

1. Restrict Area Perimeter
2. Secure Site Assets
3. Screen and Control Access
4. Deter, Detect, and Delay
5. Shipping, Receipt, and Storage
6. Theft or Diversion
7. Sabotage
8. Cyber
9. Response
10. Monitoring
11. Training
12. Personnel Surety
13. Elevated Threats
14. Specific Threats, Vulnerabilities, or Risks
15. Reporting of Significant Security Incidents
16. Significant Security Incidents and Suspicious Activities
17. Officials and Organization
18. Records

In order to improve understanding and compliance with the SSP process, the DHS began conducting Pre-Authorization Inspections (PAIs) to both give additional guidance to industry and receive feedback on how to improve the SSP tool. Additionally, in mid-2010, DHS began taking enforcement action against facilities that failed to timely submit SSPs.

Recent Updates:

In January 2009, DHS updated the Top Screen Questions and in September 2010, updated the Top Screen User's Manual.
CFATS was to expire in 2011, but bills have been introduced in Congress to extend it for a further seven years in order to provide continuity for the chemical industry and federal government to be able to fully implement the regulatory requirements.

Additional Resources:

• Read the full CFATS here.
• Read the final Risk-Based Performance Standards Guidance for CFATS issued by the DHS here.