Chemicals play a crucial role in many sectors of our economy and provide many benefits to businesses and individuals. They can also pose security risks, however, especially if they fall into the hands of terrorists. To address this threat, the U.S. Department of Homeland Security (DHS) administers the CFATS program, which regulates security for high-risk chemical facilities. All facilities that handle certain chemicals must adhere to these regulations to prevent these potentially hazardous substances from being used in an attack.
Chemical Facility Anti-Terrorism Standards
The Chemical Facility Anti-Terrorism Standards (CFATS) program is a regulatory program for security at high-risk chemical facilities. DHS administers the program through its Infrastructure Security Compliance Division (ISCD). Through the program, ISCD works with chemical facilities to ensure that they have measures in place to reduce risks associated with any of 300 hazardous chemicals of interest (COI) identified by DHS. CFATS aims to prevent these substances from being exploited as part of a terrorist attack.
CFATS regulation applies to “any establishment or individual that possesses or plans to possess” any of the COI at or above the threshold quantities identified by DHS. CFATS regulations apply to facilities across various industries, including:
- Chemical manufacturing
- Storage and distribution
- Agriculture and food
- Plastics manufacturing
- Energy and utilities
Why Is CFATS Important?
CFATS is an important regulation because the COI could cause a substantial amount of injury and death if used by terrorists as part of an attack. ISCD describes three main security issues related to COI.
- Release: Some COI are toxic, explosive or flammable and could be released at a facility.
- Theft or Diversion: If stolen or diverted, some COI could be converted into weapons using relatively simple chemistry, equipment or techniques. Diversion refers to acquiring a product using deception.
- Sabotage: Other COI could be hazardous if mixed with readily available materials.
The CFATS program is designed to help facilities reduce these risks by implementing appropriate security measures.
Background on CFATS
CFATS is the first U.S. regulatory program to focus explicitly on the security of high-risk chemical facilities. Congress first authorized the program in 2007.
In 2013, President Barack Obama issued the Executive Order on Improving Chemical Facility Safety and Security, EO 13650. The EO directed the federal government to improve chemical facility security and reduce risks posed by hazardous chemicals to workers and communities. The order established the Chemical Facility Safety and Security Working Group to oversee the effort. DHS, the Environmental Protection Agency (EPA) and the Secretary of Labor together chair this working group.
In response to the EO, DHS created the Infrastructure Protection (IP) Gateway, which is a repository of critical infrastructure information and tools, to enhance coordination between federal, state and local governments and community stakeholders to improve the CFATS program.
In December of 2014, the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014 (CFATS Act of 2014), was signed into law. The Act recodified and reauthorized CFATS for four years.
On January 18, 2019, President Donald Trump signed into law the Chemical Facility Anti-Terrorism Standards Program Extension Act, which extended the CFATS program for 15 months.
Before the 2019 extension, Sen. Ron Johnson (R-Wis.) authored legislation to make changes to the program. His bill would have removed regulations from CFATS that other agency also covers and would require assessment of the program’s impact. The bill did not pass Congress, however, with Sen. Tom Carper (D-Del.) noting that the potential effects of the changes needed further study. With CFATS extended for 15 months, Congress is now examining the program and considering possible changes.
In February 2019, the House Homeland Security Committee held a hearing to examine long-term CFATS reauthorization or extension. In March 2019, the House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection, and Innovation held a hearing titled Securing Our Nation’s Chemical Facilities that sought input from stakeholders on improving CFATS.
The CFATS Process
How does the CFATS process work? The basic steps of the process are as follows.
The first step is to determine if your facility is subject to CFATS. Ensure your facility is not statutorily exempted from CFATS. Exempted facilities include:
- Facilities regulated by the Maritime Transportation Security Act
- Facilities regulated by the Nuclear Regulatory Commission
- Facilities owned or operated by the Department of Defense or Department of Energy
- Several other types of facilities
If your facility isn’t exempted, check Appendix A to see if it handles any of the COI at or above the Screening Threshold Quantity (STQ).
If your facility is subject to CFATS, you must complete a Top-Screen, an online survey about the chemicals you possess. The survey is available using the Chemical Security Assessment Tool (CSAT), a secure web portal that DHS administers.
ISCD will review your Top-Screen and determine if your facility is a high-risk facility. If ISCD determines it is not, you are not regulated by CFATS. If it determines it is, it will assign the facility by risk level. ISCD ranks facilities into four tiers with Tier 1 representing the highest risk.
If your facility is regulated by CFATS, you must submit a Security Vulnerability Assessment (SVA) and either a Site Security Plan (SSP) or an Alternative Security Program (ASP) to DHS using the CSAT within 120 days.
The SVA identifies your facility’s use of COI, critical assets and measures surrounding policies, procedures and resources needed to support your security plan. It also includes an analysis of your facility’s security posture and potential vulnerabilities.
The SSP describes existing and planned security measures and is tailored to the tier and unique considerations of your facility. Your plan must meet the CFATS Risk-Based Performance Standards (RBPS), which describe security objectives.
Your facility can also choose to submit an ASP in place of an SSP. When submitting an ASP, you can develop your own template document rather than use one provided by ISCD for the SSP. An ASP needs to describe how security measures will meet the RBPS that apply to your facility and address its tier and security concerns.
After you submit your SVA and SSP or ASP, ISCD inspectors will conduct an authorization inspection at the facility. This inspection seeks to verify that the contents of the security plan are accurate and complete. Once the facility has satisfied the requirements of the authorization inspection, ISCD will approve the plan. Your company must then implement the plan. ISCD will conduct regular inspections to verify that the facility is adhering to the plan.
The CFATS Risk-Based Performance Standards (RBPS)
Every high-risk chemical facility must meet the 18 RBPS laid out in the DHS RBPS Guidance in their security plan. Each facility can choose the measures that will most cost-effectively achieve the appropriate performance level for each RBPS for the facility and its tier. The RBPS are as follows:
- RBPS 1, Restrict Area Perimeter: Secure and monitor the facility perimeter
- RBPS 2, Secure Site Assets: Secure and monitor restricted areas and potential critical targets in the facility
- RBPS 3, Screen and Control Access: Control access through screening or inspecting individuals and vehicles upon entry
- RBPS 4, Deter, Detect and Delay: Deter, detect and delay potential attacks
- RBPS 5, Shipping, Receipt and Storage: Secure and monitor the shipping, receiving and storage of hazardous chemicals
- RBPS 6, Theft and Diversion: Deter the theft and diversion of hazardous chemicals
- RBPS 7, Sabotage: Deter insider sabotage
- RBPS 8, Cyber: Deter cyber sabotage through preventing unauthorized access to cyber systems and critical process controls
- RBPS 9, Response: Create an emergency plan for handling security incidents
- RBPS 10, Monitoring: Maintain adequate monitoring, warning and communications systems
- RBPS 11, Training: Carry out appropriate security training, drills and exercises
- RBPS 12, Personnel Surety: Perform adequate background checks and ensure proper credentials for personnel, and, as needed, unescorted visitors
- RBPS 13, Elevated Threats: Escalate protective measures in response to elevated threat levels
- RBPS 14, Specific Threats, Vulnerabilities or Risks: Address threats, vulnerabilities or risks for the facility as identified by the assistant secretary
- RBPS 15, Reporting of Significant Security Incidents: Report security incidents to DHS and local law enforcement as needed
- RBPS 16, Significant Security Incidents and Suspicious Activities: Properly manage significant security incidents and suspicious activity in or around the facility by identifying, investigating, reporting and documenting it
- RBPS 17, Officials and Organization: Define who is responsible for security and compliance with CFATS
- RBPS 18, Records: Maintain appropriate records
RBPS Overarching Security Guidelines
ISCD provides five overarching security guidelines that facilities can use when determining the appropriate security guidelines. These five guideposts are the overall security objectives addressed by the RBPS. The five guideposts are:
- Detection: The ability to identify potential attacks or signs of an attack and communicate that information as necessary. RBPS 1, 2, 3, 4, 5, 6 and 7 fall under the guidepost of detection.
- Delay: The ability to slow down the progress of adversaries to enable adequate protective forces to respond through the use of the appropriate security management processes. RBPS that fall under Delay include RBPS 1, 2, 3, 4, 5, 6 and 7.
- Response: The ability to manage, communicate and report appropriate reactions to potential attacks or adversary actions and reduce the impact of security-related incidents. RBPS 9, 11, 13 and 14 are related to the response guidepost.
- Cyber: The ability to secure critical cyber system process controls from unauthorized access. The cyber guidepost corresponds to RBPS 8.
- Security Management: The ability to appropriately manage the security plan, including developing and implementing policies, procedures and other processes that support implementation and oversight of the plan. RBPS that fall under the security management guidepost include RBPS 10, 11, 12, 15, 16, 17 and 18.
ISCD has the authority to pursue civil enforcement action against facilities that don’t comply with CFATS. The agency can impose a civil fine of up to $33,333 for every day a violation continues or issue an order to cease operations. Violations may include refusing to report COI, not developing or implementing security measures and knowingly providing false information. ISCD will notify a facility of a non-compliance, specify the nature of the violation and outline the steps needed to correct it before assessing fines.
How to Best Manage CFATS Compliance
Ensuring compliance with CFATS can be complex and challenging, especially if not approached in an organized manner. Creating well-defined procedures and clear organization is essential for ensuring you meet all requirements.
An important early step in the process of managing CFATS compliance is determining who within your organization owns the CFATS process. Assigning oversight of compliance activities helps ensure that the necessary actions are taken. A facility might assign ownership of CFATS to a department such as risk management or environmental health and safety. You could also hire a new team member who will be dedicated to CFATS. Creating a cross-functional team to manage CFATS can help ensure that all aspects of compliance and safety issues are addressed. Even if one specific department or executive oversees the process, they will need to consult with other departments.
It’s also critical to create a plan for internal communication to ensure that information gets shared efficiently and securely. Ensure that all necessary employees go through Chemical-Terrorism Vulnerability Information (CVI) Authorized User Training. This DHS information protection program aims to protect information related to vulnerabilities from public disclosure or misuse.
Success with CFATS requires an organized, centralized approach. Using compliance software can help with this. Compliance software provides a central location through which qualified individuals can manage security protocols and ensure compliance. You can use this software to submit and manage all documents related to CFATS, providing a central source of information. A secure cloud-based platform can make this data available throughout the company and across multiple facilities. Keeping track of your data using a software platform helps you to demonstrate current as well as historical compliance. Using a compliance software can help you to reduce the time spent on compliance activities and help to increase the accuracy and availability of documentation.
Telgian Compliance Regulation Software
Our compliance regulation software can help your facility to proactively manage and effectively demonstrate compliance. It can also help to reduce the personnel hours spent supporting compliance activity by establishing a data standard across functional alignments, making documentation more readily available to qualified individuals, eliminating repetitive data entry and more.
The CFATS module within our compliance software helps you to identify and organize the requirements of the 18 RBPS and provide continuous tracking of compliance activities, documents and audits. It is designed for both SSP and ASP approaches and aligns with the DHS web platform for CFATS submissions.
Our software is hosted in the cloud, which provides various advantages such as superior availability, mobility, scalability and security as well as enhanced opportunities for collaboration. It features adherence to more than 50 global compliance standards for IT, advanced threat analytics and distributed denial-of-service defense. Our data center facilities are also guarded with increased security at each level.
In addition to CFATS, our software supports compliance with the American Chemistry Council’s Responsible Care Security Code (RCSC).
To learn more about how our software can help your facility effectively, efficiently and securely manage compliance data and activities, contact us online or by phone at 1-877-TELGIAN today.