CFATS


CHEMICAL FACILITY ANTI-TERRORISM STANDARDS (CFATS) GENERAL INFORMATION

In late 2006, Congress passed the Department of Homeland Security Appropriations Act of 2007.  In addition to providing money for the Department of Homeland Security (DHS), the law gave DHS the authority to regulate the nation’s highest-risk chemical facilities, and directed DHS to develop chemical facility security regulations.

After a brief comment period, DHS published the regulation on April 9, 2007. The regulation is known as the Chemical Facility Anti-Terrorism Standards (CFATS) and is published at 6 CFR § 27. CFATS (except for Appendix A) took effect on June 8, 2007 and requires “high–risk” chemical facilities to enhance security and establish new procedures for protecting chemical facility security information. Whether a facility is "high–risk" is a threshold question that DHS determines on a facility–by–facility basis. Generally, the type and amount of chemicals that a facility possesses determines whether – and to what extent – a facility is a "covered facility" subject to regulation.

The CFATS regulatory scheme can be broken down into six phases: submission of a Top–Screen, notification of a preliminary risk-tier, submission of a Security Vulnerability Assessment (SVA), DHS notification of its final tier determination, submission of a Site Security Plan (SSP), and ongoing compliance.

Top–Screen

CFATS require facilities that possess any of the chemicals at the quantities and concentrations listed in Appendix A to submit facility and facility-related information to DHS via a secure web portal called the Chemical Security Assessment Tool (CSAT). This process is known as the Top–Screen. Unless granted an extension, facilities had to submit a Top–Screen to DHS within 60 calendar days of Appendix A’s November 20, 2007 publication in the Federal Register. DHS updated the Top Screen Questions and Top Screen User's Manual most recently in January 2009 and May 2009 respectively.

DHS recently sent an Agriculture Survey to nearly 1,300 covered CFATS facilities that submitted Top-Screens indicating they possessed certain COIs used in agriculture activities. DHS had indefinitely extended the Top-Screen submission due date in December 2007 for farmers and other agricultural facilities that use COI for agricultural production purposes in order to gather more information regarding agricultural operations to determine whether modification of the Top-Screen was necessary for such facilities. This Agriculture Survey represents DHS’s modification of the Top-Screen and its first step in re-evaluating agricultural facilities that possess and use Appendix A COIs.

PRELIMINARY DESIGNATION

After reviewing the Top-Screen and other information, DHS notifies each facility by letter. Facilities that do not "present a high level of security risk" are not subject to CFATS. These facilities have no further regulatory obligation, although a material modification at the facility may prompt further inquiry and possibly require resubmission of a Top-Screen. Facilities that do "present a high level of security risk" are subject to additional review and must complete a SVA.

SECURITY VULNERABILITY ASSESSMENT (SVA)

On June 23, 2008, DHS began notifying thousands of facilities preliminarily determined to "present a high level of security risk." Of the approximately 30,000+ facilities that submitted a Top-Screen, about 7,000 were preliminarily assigned to one of four risk tiers that require increasingly stringent levels of security – Tier 1 facilities posing the greatest risk and requiring the most stringent security, and Tier 4 facilities posing the smallest risk (in relative terms) and requiring less stringent security.

Each preliminarily tiered facility must complete an SVA. Facilities classified as a Tier 4 are permitted to submit either the CSAT SVA or an Alternative Security Program SVA in lieu of the CSAT SVA. DHS has provided SVA Instructions to assist with completion of the required SVA Questions.

FINAL TIER DETERMINATIONS

DHS uses the SVA data to make final tier determinations; that is, DHS either will confirm or adjust its preliminarily tier determination for each facility. Accordingly, some facilities may exit CFATS altogether (e.g., DHS may decide, after reviewing the SVA, that a preliminary Tier 4 facility is really not high-risk after all). Other facilities may be deemed more high risk (e.g., DHS may decide, after reviewing the SVA, that a preliminary Tier 3 facility is properly classified as a Tier 1 or Tier 2 facility).

As of July 2010, DHS has classified approximately 226 facilities as  final Tier 1s, 531 facilities as  final Tier 2s, 1,132  facilities as  final Tier 3s, and  221 facilities as final Tier 4s. Four preliminary Tier 1 facilities are awaiting final tier determinations, as are 40 preliminary Tier 2s, 126 preliminary Tier 3s, and 717 preliminary Tier 4s. 

Notification of a facility’s final tier triggers the 120 day SSP submission clock.

SITE SECURITY PLAN (SSP)

All facilities have 120 days, from receipt of final tier notification, to submit a SSP to DHS via the CSAT. The SSP must, among other things, identify and describe how each security measure will meet, as applicable, the eighteen Risk-Based Performance Standards (RBPSs). In order to assist facilities in developing their SSPs, DHS published the CFATS RBPS Guidance document in final form on May 15, 2009. Previously, DHS had requested and received public comments based on the Draft (Fall 2008) version of the RBPS Guidance. A summary of these comments along with DHS responses accompanied the Final RBPS guidance release. DHS has made other resources available on its website, including the: CSAT SSP Questions, CSAT SSP Instruction Manual, and CSAT SSP Screenshots.

Additionally, in an effort to improve understanding and compliance with the SSP process, DHS began conducting Pre-Authorization Inspections (PAIs) to both give additional guidance to industry and receive feedback on how to improve the SSP tool.  Additionally, in mid-2010, DHS began taking enforcement action against facilities that failed to timely submit SSPs.

Important Documents