CFATS
CHEMICAL-TERRORISM VULNERABILITY INFORMATION (CVI)
Background Information
CFATS introduced a new category of sensitive but unclassified information that protects security-related information developed pursuant to CFATS. This new category of information, known as Chemical-Terrorism Vulnerability Information (CVI) and authorized by Section 550 of the 2007 Homeland Security Appropriations Act, borrows aspects from existing information protection regimes such as Sensitive Security Information (SSI) and Protected Critical Infrastructure Information (PCII). All covered facilities subject to CFATS must comply with CVI regulations.On September 22, 2008, DHS published Safeguarding Information Designated as Chemical-Terrorism Vulnerability Information (CVI), Revised CVI Procedural Manual, superseding both the June 2007 Safeguarding Information Designated as Chemical-Terrorism Vulnerability Information Procedural Manual and the June 2007 Guide for the Preparation of Sanitized and Derivative Work Products Using Chemical-Terrorism Vulnerability Information. The revised CVI Manual is 30 pages shorter than its predecessor and provides clearer, more concise guidelines regarding, among other things, CVI use, access, dissemination, and storage.
Who has access to CVI?
CVI is exempt from disclosure under the Freedom of Information Act, as well as state open records laws. Generally, only "authorized users" with a "need to know" may access CVI:An authorized user is any person who has:
- Successfully completed the DHS online CVI training, which includes obtaining a CVI Authorized User Identification Number; and
- Satisfied any DHS requirement demonstrating trustworthiness (e.g., a background check), as applicable.
- When the person requires access to specific CVI to carry out chemical facility security activities that are approved, accepted, funded, recommended, or directed by DHS;
- When the person needs the information to receive training to carry out chemical facility security activities that are approved, accepted, funded, recommended, or directed by DHS;
- When the information is necessary for the person to supervise or otherwise manage individuals carrying out chemical facility security activities that are approved, accepted, funded, recommended, or directed by DHS;
- When the person needs the information to provide technical or legal advice to a covered person; and
- When DHS determines that access is required under 6 CFR §§ 27.400(h) or (i) in the course of judicial or administrative proceedings.
A covered person is a person who:
- Has a "need to know;"
- Receives or gains access to what the person knows is CVI; or
- Receives or gains access to what the person should reasonably know is CVI.
What is CVI?
As enumerated by 6 CFR § 27.400(b), CVI includes, among other things:- Security Vulnerability Assessments (SVAs);
- Site Security Plans (SSPs);
- Alternative Security Programs (ASPs); and
- Inspection and audit findings.
DHS no longer requires completion of a CVI Non-Disclosure Agreement, although DHS retains the right to require them (once again) in the future. However, DHS does require acceptance of CVI Affirmation Statements indicating that the user will comply with all CVI requirements. The Affirmation Statements are completed at the end of the CVI Training.
CVI Training
As noted above, to become an Authorized User, a person must complete CVI User Training. Those that completed CVI Authorized User training prior to September 2008 are encouraged to take the training again, as the training has been significantly revised and refined.CVI Cover Page
CVI users should also be familiar with the revised CVI Cover Page, which is used to protect CVI in storage, transmission, and during mailing. |