On April 9, 2007, the Department of Homeland Security issued
the Chemical Facility Anti-Terrorism Standards Regulation Interim Final Rule
(CFATS). This regulation was a result of
the Department of Homeland Security (DHS) Appropriations Act of 2007, which
provided DHS the authority to regulate chemical facility security throughout
CFATS is intended to establish a baseline level of security for facilities
considered to pose high risk to the general population in the event of a
terrorist attack. It defines security requirements for facilities that use,
manufacture, store or handle specific quantities of approximately 323 chemicals
that DHS has identified as being extremely dangerous. These chemicals are
called “chemicals of interest” (COI) and are listed in Appendix A of the
regulation. DHS has conducted a nationwide survey of facilities using these
chemicals of interest, resulting in the designation of nearly 7,000 of them as
“high risk.” These facilities are subject to the provisions of CFATS.
Figure 1. Tiers
The CFATS Process
The CFATS process is divided into four stages.
Step One: Top Screen
The purpose of the Top Screen is to evaluate all facilities housing quantities
of potentially hazardous chemicals to develop a ranking on their relative risk.
All facilities that used, manufactured, stored or handled any of the roughly
323 chemicals of interest in quantities above DHS-defined threshold limits were
required to submit a CFATS “Top Screen” by January 22, 2008. The top screen
gathered information on the type and quantity of chemicals used, stored,
manufactured or handled by the facility. If the facility did not have these
chemicals above the threshold, they were not subject to CFATS.
As a result of the top screen, facilities were divided into four different
tiers of risk, based on the potential consequences that could result from a
terrorist attack. DHS informed all facilities that submitted a top screen of
their initial tier ranking, or confirmed that the facility was not subject to
CFATS at that time. The tier letters identified specific chemicals of interest
and specific security concerns for each tiered facility. Of the estimated
32,000 facilities that submitted top screens, approximately 7,000 were
initially subject to CFATS (see Figure 1).
Step Two: Security Vulnerability Assessment
If the top screen divided facilities into risk rankings based on potential
consequences, then the SVA seeks to determine the likelihood that the unwanted
consequences can be prevented based on the security posture of the facility.
Once facilities have submitted their SVA data, DHS will issue final tier
rankings. Facilities that remain in one of the four tiers will be deemed
“covered facilities” and, therefore, subject to CFATS regulations.
Step Three: Site-Security Plan
The site-security plan ensures that covered facilities develop and implement a
security plan appropriate for their relative risk. Each tier ranking has
differing levels of performance required by their SSP.
The plan must respond to the specific issues raised by DHS in its final tier
letter sent to covered facilities. The guide for developing the SSP is covered
in a document called the "Risk Based Performance Standards" (RBPS).
The RBPS is intended to provide the facility with flexibility in developing
their SSP. Site-security plans will need to address 18 different parameters
identified in the Risk-Based Performance Standards, including restrict area
perimeter, secure site assets, screen and control access, theft and diversion,
cyber, response, monitoring, training and personnel security. Once the SSP is
complete, the facility submits it to DHS for review and approval. DHS then
issues an analysis of the SSP that identifies gaps to be corrected, or it
Step Four: Implementation and
Once a facility’s site security plan has been approved, the facility will have
a limited time to implement its plan. DHS then begins on-site inspection to
verify that the plan, as documented in the SSP, has actually been implemented.
Chemical-Terrorism Vulnerability Information (CVI)
the course of implementing CFATS regulations, certain information is created,
compiled, handled and transmitted to DHS by regulated (covered) facilities.
This information has been characterized as Sensitive but Unclassified (SBU)
information by DHS and is known as Chemical-terrorism Vulnerability Information
(CVI). Detailed requirements exist for the proper handling of this information
to protect it from public disclosure under the Freedom of Information Act
(FOIA). The requirements are very specific and help protect this sensitive
information from disclosure to unauthorized persons. KCI Protection
Technologies has developed a CVI Security GuideTM
assist facilities in complying with CVI requirements.
How KCI Protection Technologies Can Help
KCI Protection Technologies (KCI-PT) professionals were
involved in some of the earliest risk assessment activities for chemical and
other infrastructure sectors. With experience pre-dating 9/11 and the CFATS
regulations, KCI-PT staff know the CFATS regulatory requirements, having
supported some of the earliest preliminary research conducted by DHS and
KCI-PT’s multi-discipline experience in chemical-process safety programs,
fire-protection engineering, industrial security, life safety, security
vulnerability assessments, risk management and process development enables it
to provide engineering, consultation, and analysis services to Tier 1-4
facilities throughout the CFATS compliance process. KCI-PT provides assistance
with security-vulnerability assessments, site-security plans,
alternative-security plans, compliance audits, training, CVI education,
awareness and self-inspection, and provides a practical CVI Security
to assist users with compliance to CVI
more information, phone (307) 479-7000 or visit