Roberts Law Group News

CFATS Cyber Reporting Requirements


The Cybersecurity and Infrastructure Security Agency (CISA) has released a new webpage and fact sheet to provide guidance to Chemical Facility Anti-Terrorism Standards (CFATS)-regulated facilities regarding how and when to report cybersecurity incidents.
Through these resources, CISA provides that reportable significant cybersecurity incidents at a CFATS facility may include, but are not limited to:
  • Known security issues, vulnerabilities, and exploits that impact a CFATS Chemical of Interest (COI) asset or system;
  • Attempts to gain unauthorized access to a critical cyber system;
  • Threats to Operational Technology (OT) systems;
  • Ransomware incidents;
  • Phishing, malware, trojan horse, or virus attacks that were not contained;
  • Structured Query Language (SQL) injections where malicious code is injected into a server and forces it to disclose private data;
  • Attempts to gain unauthorized access to a system’s wireless network or mobile devices on the network;
  • Changes to a system’s firmware, software, or hardware without the system owner’s consent;
  • Disruption or Denial of Service (DOS) or Distributed Denial of Service (DDOS) attempts; and
  • Impacts to national security, economic security, or public health and safety systems.
Cyber systems that CISA considers critical are systems related to controlling, processing, ordering, and/or accessing CFATS COIs – including control systems, business systems, access control systems, Enterprise Resource Planning (ERP) systems, sales systems, and safety instrumented systems.
Once a cyber incident has been detected and response measures have been initiated, CFATS facilities are now required to report significant cybersecurity incidents to CISA via CISA Central at
When contacting CISA Central, facilities should indicate they are “critical infrastructure” within the Chemical Sector. Facilities should also include a description of the incident, indicate that they are CFATS regulated, and include their CFATS facility identification number.