CFATS

About Chemical Facility Anti-Terrorism Standards

SVA & SSP or ASP

 
With the launch of CSAT 2.0 in October 2016, DHS combined the Security Vulnerability Assessment (SVA) and Site Security Plan (SSP) / Alternate Security Program (ASP) processes into a single submission. All tiered facilities have 120 calendar days, from receipt of a Risk Tier Notification, to submit a SVA and SSP or ASP to DHS via the CSAT. DHS has provided SVA / SSP Instructions to assist with SVA and SSP / ASP submissions.
 
SVA
 
The CSAT 2.0 SVA requires facilities to describe the security measures they have implemented and any vulnerabilities they have identified across five areas:
  • Detection Measures and Identified Vulnerabilities;
  • Delay Measures and Identified Vulnerabilities;
  • Response Measures and Identified Vulnerabilities;
  • Cyber Security Measures and Identified Vulnerabilities; and
  • Policies, Procedures, and Resources and Identified Vulnerabilities.
For each SVA section, facilities are provided with a free from text box, limited to 4,000 characters, and are asked to describe their security posture and potential related vulnerabilities.
 
SSP or ASP
 
The SSP/ASP must, among other things, identify and describe how each security measure will meet, as applicable, the eighteen Risk-Based Performance Standards (RBPSs). In order to assist facilities in developing their SSPs/ASPs, DHS published the CFATS RBPS Guidance document in final form on May 15, 2009.
 
The CSAT 2.0 SSP is organized into five overarching security objectives, which collectively account for all of the requirements of the eighteen RBPSs:
  • Detection Measures (RBPSs 1, 2, 3, 4, 5, 6, and 7);
  • Delay Measures (RBPSs 1, 2, 3, 4, 5, 6, and 7);
  • Response Measures (RBPSs 9, 11, 13, and 14);
  • Cyber Security Measures (RBPS 8); and
  • Security Management Measures (RBPSs 7, 10, 11, 12, 15, 16, 17, and 18).
Before DHS approves a facility’s SSP or ASP, it conducts an on-site Authorization Inspection to verify that the information is accurate and complete and that existing and planned security measures are appropriate and sufficient to meet the established RBPS requirements. Following the Authorization Inspection, DHS will either approve the SSP/ASP or require the facility to revise and re-submit the plan.