Securing the Chemical Sector: An Overview of the Chemical Facility Anti-Terrorism Standards August 29, 2007 Ronald E. Miller Inspector
2 CFATS – Regulation Overview DHS’s chemical facility security regulatory regime—the Chemical Facility Anti- Terrorism Standards (CFATS)—was published on April 9, 2007 In developing the final regulations, DHS reviewed over 1300 pages of comments on the ANRM submitted from over 110 commenters The CFATS, which will go into effect after a 60-day Congressional review period, also includes a list of Chemicals of Interest open for public comment and review DHS has created the Office of Infrastructure Protection’s Chemical Security Compliance Division (CSCD) to oversee the regulatory program Depending on degree of risk posed, covered chemical facilities will be placed in one of four tiers Regulation will use risk-based performance standards, allowing facilities to select the most cost-effective combination of measures to achieve an appropriate level of security CSCD will roll out regulatory oversight in a phased approach During 2007, DHS will focus its resources on approximately 50 of the highest risk facilities However, during 2007, all chemical facilities will be required to complete an initial consequence screen to identify which facilities are high risk Security measures at chemical facilities will never compromise safety measures Chemical facility security risks will not be transferred to surrounding communities
3 CFATS – Regulation Overview (cont.) The CFATS uses a multi-step process to: Identify high-risk chemical facilities Assign high-risk chemical facilities to risk tiers Identify vulnerabilities at high-risk chemical facilities Develop and implement Site Security Plans Inspect and audit facilities to ensure vulnerabilities are adequately addressed and risk-based performance standards are met Other important CFATS components include: Alternate Security Programs Adjudications Process CVI Step 1: Trigger Top Screen (STQ) Step 2: Perform Top Screen Step 4: Perform SVA Step 5: Develop Site Security Plan Step 3: Receive Preliminary Tiering Step 7: Inspections/Audits Step 8: Step 6: DHS Review of Site Security Plan Implement Site Security Plan
4 Approximate Phase-In of Regulation
5 CSAT – Top Screen Top Screen To identify which chemical facilities are high risk, and to gather information for DHS to make initial risk-based tiering decisions, facilities must complete a “Top Screen” Top Screen information will be submitted to DHS via the secure DHS CSAT website A facility must complete and submit a Top Screen if it possesses any of the chemicals listed in Appendix A at the corresponding Screening Threshold Quantity (STQ) Designated Submitter Each facility must designate a submitter who is responsible for submitting the Top Screen information to DHS The submitter must be designated by an officer of the corporation and domiciled in the U.S. Preliminary Determination Based on the information provided through the Top Screen process, DHS will determine whether or not a facility “presents a high level of security risk” and thus is a covered facility under the regulations A facility’s risk primarily depends on whether or not a terrorist attack could result in significant adverse consequences for human life or health, national security or critical economic assets Facilities will be notified in writing by DHS upon such a determination Submission Schedule The Top Screen must be completed and submitted within 60 days of the effective date of Appendix A or within 60 calendar days for facilities that subsequently come into possession of any of the chemicals listed in Appendix A at the corresponding STQs If a covered facility makes material modifications to its operation or site, the covered facility must submit a revised Top Screen within 60 days of material modification
6 CSAT – Security Vulnerability Assessment What is the SVA? To better define their security posture and identify their vulnerabilities, all covered facilities must complete a Security Vulnerability Assessment (SVA) Facilities in Tiers 1-3 must use the CSAT SVA tool developed by DHS Tier 4 facilities may use the CSAT SVA tool or submit an approved alternate SVA under the Alternate Security Program portion of the regulations SVA Makeup An SVA will include an asset characterization, threat assessment, security vulnerability analysis, risk assessment, and countermeasure analysis Submission Schedule Covered facilities must complete and submit SVAs within 90 calendar days of written notification from the Department or within the time frame specified in any subsequent Federal Register notice Review and Approval DHS will review and approve in writing all SVAs that satisfy the requirements of § , including Alternative Security programs submitted pursuant to § If an SVA does not satisfy the requirements of § , DHS will provide the facility with a written notification that includes a clear explanation of deficiencies in the SVA DHS will offer assistance to facilities that submit deficient SVAs
7 Registration for CSAT Registration In order to access the CSAT secure on-line tool, users must register with DHS by submitting a user access form Process After completion and submittal of the user access request form, DHS will issue unique usernames and passwords for access to the CSAT data collection tool to protect your company’s sensitive data Facilities must designate: A Preparer – authorized to enter the required data into CSAT, A Submitter – certified by the company or corporation to formally submit the regulatory required data to the Department. The Submitter must be authorized and domiciled in the U.S, and An Authorizer – empowered by the facility parent company to provide assurance that the user account request for the Preparer and Submitter is valid After Registration Upon receipt of username and password via , and following the June 8, 2007 activation date, users may access the Top Screen CSAT collection tool (found on-line at
8 Tiering of Covered Facilities Preliminary Tiering All covered facilities shall be placed within one of four risk-based tiers, ranging from the highest risk facilities in Tier 1 to lowest risk facilities in Tier 4 Facilities not covered by the regulation will not be tiered Initial tiering decisions will be based on information about the facility received from the Top Screen or other means The Department will notify a a facility of its initial risk based tier in writing Final Tiering After receiving the SVA, DHS will review the SVA and either confirm or adjust the risk-based tier assigned to the facility If, after receiving its final tiering, a facility makes material modifications to their operations, materials on site, etc., they must submit a revised Top Screen (and possibly SVA & SSP), and their tiering may be adjusted accordingly
9 Site Security Plans SSP: Each covered facility must prepare and implement a Site Security Plan that: Addresses each vulnerability identified in the SVA and describes the security measures to address each such vulnerability Identifies and describes how security measures selected by the facility meet or exceed each applicable performance standard for the facility’s risk-based tier CSAT SSP DHS has prepared a template for a model SSP, which is available through the CSAT tool Facilities must use either the CSAT model SSP or an alternate SSP format approved by DHS under the Alternate Security Program Submission of SSP SSPs must be submitted within 120 calendar days of written notification from DHS or within the time frame specified in any subsequent Federal Register notice When a covered facility updates, revises or otherwise alters its SVA, the covered facility must make corresponding changes to its SSP Review and Approval DHS will review and approve or disapprove all SSPs using a two-step process: First, DHS will make an initial determination based solely on the SSP and, if it is acceptable, issue a Letter of Authorization Once SSP is authorized, DHS will inspect a facility for determination of compliance with the rule; if in compliance, facility will receive a Letter of Approval If DHS disapproves a SSP, the facility will be notified in writing. Note that DHS will not disapprove a SSP based on the presence or absence of a particular security measure
10 Risk-Based Performance Standards Performance Standards Covered facilities must satisfy the Risk-Based Performance Standards (RBPSs) identified in Section of the regulations There are 19 RBPSs in the rule, addressing the following areas: Guidance for Covered Facilities DHS will issue guidance on the application of these standards to risk-based tiers of covered facilities, and the acceptable layering of measures used to meet these standards will vary by risk based tier. 6 CFR (a) 1.Restricted Area Perimeter 2.Securing Site Assets 3.Screening and Access Controls 4.Deter, Detect, and Delay 5.Shipping, Receipt, and Storage 6.Theft and Diversion 7.Sabotage 8.Cyber 9.Response 10.Monitoring 11.Training 12.Personnel Surety 13.Elevated Threats 14.Specific Threats, Vulnerabilities, or Risks 15.Reporting of Significant Security Incidents 16.Significant Security Incidents and Suspicious Activities 17.Officials and Organizations 18.Records 19.Others as determined by DHS
11 Inspections and Audits Inspections Generally In order to asses compliance with the requirements of the regulations, DHS may enter, inspect, and audit covered facilities Inspections will follow preliminary approval of SSPs Timing of Inspections DHS will provide 24-hour advance notice of inspections, except: If DHS determines that an inspection without such notice is warranted by exigent circumstances If any delay in conducting an inspection might be seriously detrimental to security, and the director of CSCD determines that an inspection without notice is warranted DHS may conduct spot inspections, if deemed necessary Inspectors Inspections and audits initially will be conducted by a team of specially trained Federal Protective Service inspectors detailed to CSCD Confidentiality of Information In addition to the protections afforded by CVI, information received in an audit or inspection shall remain confidential under the investigatory file exception, or other appropriate exception to the public disclosure requirements of 5 U.S.C. 552.
12 Alternative Security Plans Definition A third-party or industry organization program that DHS has determined meets the requirements of 6 CFR 27 and provides for an equivalent level of security to that established by the regulation Applicability Tier 4 facilities may submit an ASP in lieu of an SVA or SSP Tier 1, 2, & 3 facilities may submit an ASP in lieu of a SSP, though they may not submit an ASP in lieu of an SVA, i.e., Tier 1, 2, & 3 facilities must submit a CSAT SVA Notification DHS will inform a covered facility of the approval or disapproval of an ASP in a fashion similar to notifications provided for following approval or disapproval of an SVA or SSP
13 Orders & Adjudications Orders When DHS determines that a facility is in violation of any of the regulatory requirements, DHS may take appropriate action including the issuance of an appropriate Order Types of orders include Orders Assessing Civil Penalty and Orders to Cease Operations Civil penalties not to exceed $25,000 per day per violation Orders will include a description of the noncompliance, how to address the noncompliance, and the date by which the facility must comply with terms of the order Adjudication Any facility who has received a finding is entitled to an adjudication of any issue of material fact relevant to any administrative action which deprives that person of a cognizable interest in liberty or property Adjudications will be heard by a neutral adjudications officer Findings eligible for adjudication include potential security threat designations, SSP disapproval, and issuance of Orders To challenge a DHS determination, applicants must file Notice of Application for Review within seven calendar days of receipt of notification to the affected party of DHS’ Finding, Determination, or Order “Orders typically are stayed from the time of the filing of a Notice of Application for Review until the Presiding Office issues an Initial Decision” Appeals If an affected party disagrees with the Initial Decision received in the adjudication process, it has the right to appeal that decision to the Under Secretary
14 Chemical-terrorism Vulnerability Information Chemical-terrorism Vulnerability Information (CVI) CVI is an information handling regime established for the maintenance, safeguarding, and disclosure of the certain information and records related to the CFATS regulatory regime, including: Security Vulnerability Assessments Site Security Plans Documents related to the review and approval of SVAs and SSPs Alternate Security Plans Documents related to inspections or audits, etc. Other similar documents All CVI materials must be appropriately marked, handled, and stored Eligible Persons to use CVI The following classes of people may use CVI if they have a need to know: Facility employees Federal employees, contractors, and grantees State/local government employees CVI access will include training and certification Violation of CVI Violation of CVI is grounds for a civil penalty and other enforcement or corrective action by DHS and appropriate personnel actions for Federal employees
15 Review and Preemption of State Laws and Regulations Preemption No law, regulation, or administrative action of a State or political subdivision thereof shall have any effect if such conflicts with, hinders, poses an obstacle to, or frustrates the purposes of this regulation or of any approval, disapproval, or order issued thereunder Review of State Laws DHS may review State laws, administrative actions, or opinions or orders of a court under State law and regulations submitted under this section, and may offer an opinion whether the application or enforcement of the State law or regulation would conflict with, hinder, pose and obstacle to or frustrate the purposes of this Part DHS may issue an opinion on any question regarding preemptions DHS will always seek the views of the State or local jurisdiction whose laws may be affected by the review