Audit, Compliance and Risk Blog

Congress Updates Chemical Facility Anti-Terrorism Standards

Posted by Jon Elliott on Mon, Feb 02, 2015 2007, Congress added a provision to the Department of Homeland Security (DHS) budget, directing DHS to create a program to identify chemicals that might be tempting targets for terrorists, and to require facility that handle sufficiently large quantities of these chemicals of interest to establish security programs subject to DHS oversight (“Section 550”). DHS responded to Section 550 by issuing Chemical Facility Anti-terrorism Standards (CFATS) rules, requiring compliance to begin in 2008.

Six years later, the CFATS program had met some of its goals, but also received consistent criticism about some of DHS’ substantive requirements and procedural approaches to program administration. In December 2014, Congress acted again, affirming most provisions in DHS’ regulations and program, and imposing revisions intended to address the criticisms (“Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014” (6 U.S.C. §§ 621 – 629)). The remainder of this blog presents a very brief summary of CFATS provisions, and identifies revisions imposed by the 2014 legislation.


CFATS applies to what DHS defines as: chemical facilities that handle onsite more than the more than a screening threshold quantity (STQ) of any chemical of interest. DHS regulations define each of these bolded terms.

Chemicals of Interest

CFATS defines 332 chemicals, each with at least one STQ and some with concentration thresholds as well. In setting STQs, DHS assesses three broad situations:

  • Onsite release of a toxic, flammable or explosive chemical, for chemicals onsite in storage vessels or transportation containers.

  • Theft or diversion of a chemical present in its Department of Transportation (DOT) mandated packaging. 

  • Sabotage or contamination (thresholds set at the amounts that DOT requires to be placarded during shipment).

DHS provides exemptions, under which facilities need not consider chemicals of interest under the following circumstances when determining compliance requirements:

  • Used as a structural component.

  • Used as products for routine janitorial maintenance.

  • Contained in food, drugs, cosmetics, or other personal items used by employees.

  • In process water or non-contact cooling water drawn from environment or municipal sources.

  • In air either as compressed air or as part of combustion.

  • Contained in articles.

  • In solid waste.

  • In naturally occurring hydrocarbon mixtures prior to their entry into a natural gas processing plant or a petroleum refining process unit.

  • Propane stored in tanks of 10,000 pounds or less.

Chemical Facilities

Facilities with at least an STQ amount of any chemical of interest are subject to initial risk screening, except for the following categories of facilities exempt from CFATS because they are subject to security-based regulation under other programs:

  • Facility subject to the Maritime Transportation Security Act of 2002.

  • Public water system subject to the Safe Drinking Water Act.

  • Treatment works subject to the Clean Water.

  • Facility owned or operated by the Department of Defense or the Department of Energy.

  • Facility subject to regulation by the Nuclear Regulatory Commission.

CFATS Regulatory Sequence

CFATS provides phased, risk-based principles to tailor regulatory requirements to fit the hazards posed by chemical facilities. A facility’s status is determined at each stage, including requirements imposed and whether evaluation proceeds to the next step. DHS has developed a multi-application Chemical Security Assessment Tool (CSAT) with elements to be used at the various stages. The following sequence applies:

  1. Determine whether the facility is non-exempt, and handles at least one chemical of interest in quantity and concentration that meets or exceeds an applicable STQ.

  2. If so, the facility performs a “Top-Screen” hazard review using CSAT, and submits the result to DHS for review.

  3. DHS evaluates the Top-Screen information, and makes a preliminary assignment of the facility to one of four risk-based tiers (Tier 1 represents the highest hazard facilities, and Tier 4 the lowest) – DHS may respond to inadequate or non-submission by making a preliminary assignment and/or commencing administrative action.

  4. Facility completes and submits a Security Vulnerability Assessment (SVA) based on its risk Tier, except that Tier 4 facilities have the option to prepare and submit an Alternative Security Program (ASP).

  5. DHS makes a final determination of hazard Tier, and facility prepares and submits a Site Security Plan (or ASP), built on detailed risk-based performance standards.

  6. DHS reviews the Plan or ASP, and inspects the facility to confirm its status.

  7. Facility corrects deficiencies and implements security plan/program activities, subject to ongoing review, update, and record keeping requirements.

DHS’ CFATS program activities have been reviewed by the agency itself, the Government Accountability Office (GAO), and Congress. Industry and community groups have offered critiques as well. The 2014 legislative amendments to CFATS incorporate these critiques.

Congressional Revisions to DHS’ CFATS Program Elements and Authority

Last month’s legislation specifically confirms most CFATS program elements – providing detailed endorsement of most aspects of the agency’s interpretation of the generalized assignments included in the 2007 legislation. The 2014 legislation does make some significant changes, however:

  1. Requires that SVAs include input from at least one facility employee with relevant knowledge, experience, training or education relating to security.

  2. Allows facility Site Security Plans to meet requirements for personnel security background screenings by using other federal programs that rely on the FBI Terrorist Screening Database (such as the Transportation Worker Identification Credential (TWIC) program).

  3. Creates a provision for a Tier 3 or Tier 4 facility to meet specified requirements and then seek expedited approval of its Site Security Plan; DHS is to issue guidance for expedited approvals by June 18, 2015.

  4. Clarifies and expands inspection and administrative enforcement authority.

  5. Directs DHS to develop an implementation plan for outreach to chemical facilities with regulated amounts of chemicals of interest that have not submitted a Top-Screen.

  6. Requires DHS to establish a reporting process and prohibit retaliation against whistleblowers.

  7. Clarifies provisions governing first responder access to sensitive security information.

  8. Ensures DHS is regularly reviewing and updating its risk assessment model used to evaluate facilities and assign hazard Tiers.

  9. Requires DHS to provide Congress key metrics for better oversight of program performance, including in periodic CFATS program performance reports.

The 2014 legislation also authorizes CFATS to continue for the next 4 years.

Self-Assessment Checklist

DHS has enforced its CFATS program for over 6 years, but the December 2014 legislation revises several aspects of DHS authority, and some specific elements of its administration and enforcement of that authority. Chemical facilities should be prepared to re-consider their status under CFATS, and how compliance responsibilities are met.

Does the organization have any facility that handles a CFATS chemical of interest in quantity and concentration that meet STQ thresholds?

Has each of the organization’s “chemical facilities” met its successive CFATS compliance responsibilities:

    • Prepared and submitted a Top-Screen?

    • Received a preliminary risk Tier assignment, and provided information required by DHS or necessary to contest any aspect of that assignment?

    • Prepared and submitted a Security Vulnerability Assessment (or Alternative Security Program, if appropriate)?

    • Received a final risk Tier assignment, provided any additional information required by DHS or necessary to contest any aspect of that assignment?

    • Prepared and submitted a Site Security Plan (or Alternative Security Program, if appropriate)?

    • Received DHS’ document review and inspection, and satisfied any agency requirements?

    • Implemented the Site Security Plan, and ongoing record keeping and operational procedures?

Has each of the organization’s “chemical facilities” reviewed the 2014 revisions to the CFATS legislation, to prepare for changes in its compliance responsibilities?

Where Can I Go For More Information?

Specialty Technical Publishers (STP) provides a variety of single-law and multi-law services, intended to facilitate clients’ understanding of and compliance with requirements. These include:

Subscribe to the STP Blog

About the Author Elliott is President of Touchstone Environmental and has been a major contributor to STP’s product range for over 25 years. He was involved in developing 12 existing products, including Environmental Compliance: A Simplified National Guide and The Complete Guide to Environmental Law.

Mr. Elliott has a diverse educational background. In addition to his Juris Doctor (University of California, Boalt Hall School of Law, 1981), he holds a Master of Public Policy (Goldman School of Public Policy [GSPP], UC Berkeley, 1980), and a Bachelor of Science in Mechanical Engineering (Princeton University, 1977).

Mr. Elliott is active in professional and community organizations. In addition, he is a past chairman of the Board of Directors of the GSPP Alumni Association, and past member of the Executive Committee of the State Bar of California's Environmental Law Section (including past chair of its Legislative Committee).

You may contact Mr. Elliott directly at:

photo credit: several_bees via photopin cc

Tags: Corporate Governance, Business & Legal, Employer Best Practices, Health & Safety, Environmental risks, Environmental, Hazcom, Workplace violence