The Department of Homeland Security (DHS) administers a Chemical Facility Antiterrorism Standards (CFATS) program, requiring chemical facilities to undertake security measures to protect against “potential consequences of or vulnerabilities to a terrorist attack or incident.” The statutory basis for the program was first enacted in 2007, revised in 2014, and continued as of 2020 to expire on July 27, 2023. CFATS is administered by DHS’ Cybersecurity and Infrastructure Security Agency (CISA). CFATS regulations establish risk-based performance standards for facilities that handle more than a screening threshold quantity (STQ) of any of 322 DHS-listed Chemicals of Interest. Regulatory requirements start with facility filing an online “Top-Screen” survey form with CISA. On February 10, 2021, CISA reported receiving its 100,000th Top-Screen report (from over 40,000 unique facilities); this milestone provides a reminder that CFATS requirements apply to large swathes of industry.
Which facilities can be subject to CFATS requirements?
The CFATS program applies to most chemical facilities – which aren’t just facilities in organizations with “chemical” in their name. DHS defines a chemical facility as “any establishment that possesses or plans to possess, at any relevant point in time, a quantity of a chemical substance determined by [DHS] to be potentially dangerous or that meets other risk-related criteria identified by the Department.” CFATS excludes certain classes of facilities already subject to other federal security requirements, including the Maritime Security Transportation Act and Safe Drinking Water Act, and those regulated by the Nuclear Regulatory Commission.
CISA regulations define “chemicals of interest” with toxic, flammable or explosive characteristics that would make them particularly appealing to dangerous criminal or terrorist actions. CISA’s list presently includes 322 such chemicals, but in January 2021 CISA published a notice of proposed rulemaking to consider removing certain explosives also regulated by the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF). Each chemical has at least one minimum Screening Threshold Quantity (STQ); many also address concentration.
What is the CFATS Regulatory Sequence?
CFATS provides phased, risk-based principles to tailor regulatory requirements to fit the hazards posed by chemical facilities. A facility’s status is determined at each stage, including requirements imposed and whether evaluation proceeds to the next step. DHS has developed a multi-application Chemical Security Assessment Tool (CSAT) with elements to be used at the various stages. The following sequence applies:
-
Determine whether the facility is non-exempt, and handles at least one chemical of interest in quantity and concentration that meets or exceeds an applicable STQ.
-
If so, the facility performs a “Top-Screen” hazard review.
-
CISA evaluates the Top-Screen information, and makes a preliminary assignment of the facility to one of four risk-based tiers (Tier 1 represents the highest hazard facilities, and Tier 4 the lowest) – CISA can respond to inadequate or non-submission by making a preliminary assignment and/or commencing administrative action.
-
Facility completes and submits a Security Vulnerability Assessment (SVA) based on its risk Tier, except that Tier 4 facilities have the option to prepare and submit an Alternative Security Program (ASP).
-
CISA makes a final determination of hazard Tier, and facility prepares and submits a Site Security Plan (or ASP), built on detailed risk-based performance standards.
-
CISA reviews the Plan or ASP, and inspects the facility to confirm its status.
-
Facility corrects deficiencies and implements security plan/program activities, subject to ongoing review, update, and record keeping requirements.
I wrote in more detail about these provisions HERE and HERE.
What now?
Since the CFATS program has been extended into 2023, organizations can expect the program to continue in force. I have not found any specific references from the new Biden Administration, but assume that CFATS will be subject to the same re-intensification of regulatory oversight being applied to most federal programs.
Self-Assessment Checklist
Does the organization have any facility that handles a CFATS chemical of interest in quantity and concentration that meet screening threshold quantity (STQ) thresholds?
Has each of the organization’s “chemical facilities” met each of the following (successive) CFATS compliance responsibilities:
-
Prepared and submitted a Top-Screen.
-
Received a preliminary risk Tier assignment, and provided information required by DHS or necessary to contest any aspect of that assignment.
-
Prepared and submitted a Security Vulnerability Assessment (or Alternative Security Program, if appropriate).
-
Received a final risk Tier assignment, provided any additional information required by DHS or necessary to contest any aspect of that assignment.
-
Prepared and submitted a Site Security Plan (or Alternative Security Program, if appropriate).
-
Received CISA’s document review and inspection, and satisfied any agency requirements.
-
Implemented the Site Security Plan, and ongoing record keeping and operational procedures.
Where can I go for more information?
About the Author
Jon Elliott is President of Touchstone Environmental and has been a major contributor to STP’s product range for over 30 years.
Mr. Elliott has a diverse educational background. In addition to his Juris Doctor (University of California, Boalt Hall School of Law, 1981), he holds a Master of Public Policy (Goldman School of Public Policy [GSPP], UC Berkeley, 1980), and a Bachelor of Science in Mechanical Engineering (Princeton University, 1977).
Mr. Elliott is active in professional and community organizations. In addition, he is a past chairman of the Board of Directors of the GSPP Alumni Association, and past member of the Executive Committee of the State Bar of California's Environmental Law Section (including past chair of its Legislative Committee).
You may contact Mr. Elliott directly at: tei@ix.netcom.com