Securing the Chemical Sector:An Overview of the Chemical Facility Anti-Terrorism Standards

August 29, 2007

Ronald E. Miller

Inspector

2

CFATS – Regulation Overview

DHS’s chemical facility security regulatory regime—the Chemical Facility Anti-Terrorism Standards (CFATS)—was published on April 9, 2007 In developing the final regulations, DHS reviewed over 1300 pages of comments on the

ANRM submitted from over 110 commenters The CFATS, which will go into effect after a 60-day Congressional review period, also

includes a list of Chemicals of Interest open for public comment and review

DHS has created the Office of Infrastructure Protection’s Chemical Security Compliance Division (CSCD) to oversee the regulatory program

Depending on degree of risk posed, covered chemical facilities will be placed in one of four tiers Regulation will use risk-based performance standards, allowing facilities to select the most

cost-effective combination of measures to achieve an appropriate level of security

CSCD will roll out regulatory oversight in a phased approach During 2007, DHS will focus its resources on approximately 50 of the highest risk facilities However, during 2007, all chemical facilities will be required to complete an initial

consequence screen to identify which facilities are high risk

Security measures at chemical facilities will never compromise safety measures

Chemical facility security risks will not be transferred to surrounding communities

3

CFATS – Regulation Overview (cont.)

The CFATS uses a multi-step process to: Identify high-risk chemical facilities

Assign high-risk chemical facilities to risk tiers

Identify vulnerabilities at high-risk chemical facilities

Develop and implement Site Security Plans

Inspect and audit facilities to ensure vulnerabilities are adequately addressed and risk-based performance standards are met

Other important CFATS components include: Alternate Security Programs

Adjudications Process

CVI

Step 1: Trigger Top Screen (STQ)

Step 2: Perform Top Screen

Step 4:Perform SVA

Step 5: Develop Site Security Plan

Step 3:Receive Preliminary Tiering

Step 7:Inspections/Audits

Step 8:

Step 6:DHS Review of Site Security Plan

Implement Site Security Plan

4

Approximate Phase-In of Regulation

5

CSAT – Top Screen

Top Screen To identify which chemical facilities are high risk, and to gather information for DHS to

make initial risk-based tiering decisions, facilities must complete a “Top Screen” Top Screen information will be submitted to DHS via the secure DHS CSAT website A facility must complete and submit a Top Screen if it possesses any of the chemicals listed

in Appendix A at the corresponding Screening Threshold Quantity (STQ)

Designated Submitter Each facility must designate a submitter who is responsible for submitting the Top Screen

information to DHS The submitter must be designated by an officer of the corporation and domiciled in the U.S.

Preliminary Determination Based on the information provided through the Top Screen process, DHS will determine

whether or not a facility “presents a high level of security risk” and thus is a covered facility under the regulations

• A facility’s risk primarily depends on whether or not a terrorist attack could result in significant adverse consequences for human life or health, national security or critical economic assets

Facilities will be notified in writing by DHS upon such a determination

Submission Schedule The Top Screen must be completed and submitted within 60 days of the effective date of

Appendix A or within 60 calendar days for facilities that subsequently come into possession of any of the chemicals listed in Appendix A at the corresponding STQs

If a covered facility makes material modifications to its operation or site, the covered facility must submit a revised Top Screen within 60 days of material modification

6

CSAT – Security Vulnerability Assessment

What is the SVA? To better define their security posture and identify their vulnerabilities, all covered facilities

must complete a Security Vulnerability Assessment (SVA)

Facilities in Tiers 1-3 must use the CSAT SVA tool developed by DHS• Tier 4 facilities may use the CSAT SVA tool or submit an approved alternate SVA under the Alternate

Security Program portion of the regulations

SVA Makeup An SVA will include an asset characterization, threat assessment, security vulnerability

analysis, risk assessment, and countermeasure analysis

Submission Schedule

Covered facilities must complete and submit SVAs within 90 calendar days of written notification from the Department or within the time frame specified in any subsequent Federal Register notice

Review and Approval DHS will review and approve in writing all SVAs that satisfy the requirements of § 27.215,

including Alternative Security programs submitted pursuant to § 27.235

If an SVA does not satisfy the requirements of § 27.215, DHS will provide the facility with a written notification that includes a clear explanation of deficiencies in the SVA

• DHS will offer assistance to facilities that submit deficient SVAs

7

Registration for CSAT

Registration In order to access the CSAT secure on-line tool, users must register with DHS

by submitting a user access form

Process After completion and submittal of the user access request form, DHS will issue

unique usernames and passwords for access to the CSAT data collection tool to protect your company’s sensitive data

Facilities must designate:• A Preparer – authorized to enter the required data into CSAT,• A Submitter – certified by the company or corporation to formally submit the regulatory

required data to the Department. The Submitter must be authorized and domiciled in the U.S, and

• An Authorizer – empowered by the facility parent company to provide assurance that the user account request for the Preparer and Submitter is valid

After Registration Upon receipt of username and password via email, and following the June 8,

2007 activation date, users may access the Top Screen CSAT collection tool (found on-line at www.dhs.gov/chemicalsecurity)

8

Tiering of Covered Facilities

Preliminary Tiering

All covered facilities shall be placed within one of four risk-based tiers, ranging from the highest risk facilities in Tier 1 to lowest risk facilities in Tier 4

• Facilities not covered by the regulation will not be tiered

Initial tiering decisions will be based on information about the facility received from the Top Screen or other means

The Department will notify a a facility of its initial risk based tier in writing

Final Tiering

After receiving the SVA, DHS will review the SVA and either confirm or adjust the risk-based tier assigned to the facility

If, after receiving its final tiering, a facility makes material modifications to their operations, materials on site, etc., they must submit a revised Top Screen (and possibly SVA & SSP), and their tiering may be adjusted accordingly

9

Site Security Plans

SSP: Each covered facility must prepare and implement a Site Security Plan that: Addresses each vulnerability identified in the SVA and describes the security measures to

address each such vulnerability Identifies and describes how security measures selected by the facility meet or exceed

each applicable performance standard for the facility’s risk-based tier

CSAT SSP DHS has prepared a template for a model SSP, which is available through the CSAT tool Facilities must use either the CSAT model SSP or an alternate SSP format approved by

DHS under the Alternate Security Program

Submission of SSP SSPs must be submitted within 120 calendar days of written notification from DHS or within

the time frame specified in any subsequent Federal Register notice When a covered facility updates, revises or otherwise alters its SVA, the covered facility

must make corresponding changes to its SSP

Review and Approval DHS will review and approve or disapprove all SSPs using a two-step process:

• First, DHS will make an initial determination based solely on the SSP and, if it is acceptable, issue a Letter of Authorization

• Once SSP is authorized, DHS will inspect a facility for determination of compliance with the rule; if in compliance, facility will receive a Letter of Approval

If DHS disapproves a SSP, the facility will be notified in writing. • Note that DHS will not disapprove a SSP based on the presence or absence of a particular security

measure

10

Risk-Based Performance Standards

Performance Standards

Covered facilities must satisfy the Risk-Based Performance Standards (RBPSs) identified in Section 27.230 of the regulations

There are 19 RBPSs in the rule, addressing the following areas:

Guidance for Covered Facilities

DHS will issue guidance on the application of these standards to risk-based tiers of covered facilities, and the acceptable layering of measures used to meet these standards will vary by risk based tier. 6 CFR 27.230(a)

1. Restricted Area Perimeter2. Securing Site Assets3. Screening and Access Controls4. Deter, Detect, and Delay5. Shipping, Receipt, and Storage6. Theft and Diversion7. Sabotage8. Cyber9. Response10. Monitoring11. Training

12. Personnel Surety13. Elevated Threats14. Specific Threats, Vulnerabilities,

or Risks15. Reporting of Significant Security

Incidents16. Significant Security Incidents and

Suspicious Activities17. Officials and Organizations18. Records19. Others as determined by DHS

11

Inspections and Audits

Inspections Generally In order to asses compliance with the requirements of the regulations, DHS may enter,

inspect, and audit covered facilities

Inspections will follow preliminary approval of SSPs

Timing of Inspections

DHS will provide 24-hour advance notice of inspections, except:• If DHS determines that an inspection without such notice is warranted by exigent circumstances

• If any delay in conducting an inspection might be seriously detrimental to security, and the director of CSCD determines that an inspection without notice is warranted

DHS may conduct spot inspections, if deemed necessary

Inspectors Inspections and audits initially will be conducted by a team of specially trained Federal

Protective Service inspectors detailed to CSCD

Confidentiality of Information In addition to the protections afforded by CVI, information received in an audit or inspection

shall remain confidential under the investigatory file exception, or other appropriate exception to the public disclosure requirements of 5 U.S.C. 552.

12

Alternative Security Plans

Definition

A third-party or industry organization program that DHS has determined meets the requirements of 6 CFR 27 and provides for an equivalent level of security to that established by the regulation

Applicability

Tier 4 facilities may submit an ASP in lieu of an SVA or SSP

Tier 1, 2, & 3 facilities may submit an ASP in lieu of a SSP, though they may not submit an ASP in lieu of an SVA, i.e., Tier 1, 2, & 3 facilities must submit a CSAT SVA

Notification

DHS will inform a covered facility of the approval or disapproval of an ASP in a fashion similar to notifications provided for following approval or disapproval of an SVA or SSP

13

Orders & Adjudications

Orders When DHS determines that a facility is in violation of any of the regulatory requirements,

DHS may take appropriate action including the issuance of an appropriate Order Types of orders include Orders Assessing Civil Penalty and Orders to Cease Operations

• Civil penalties not to exceed $25,000 per day per violation Orders will include a description of the noncompliance, how to address the noncompliance,

and the date by which the facility must comply with terms of the order

Adjudication Any facility who has received a finding is entitled to an adjudication of any issue of material

fact relevant to any administrative action which deprives that person of a cognizable interest in liberty or property

Adjudications will be heard by a neutral adjudications officer Findings eligible for adjudication include potential security threat designations, SSP

disapproval, and issuance of Orders To challenge a DHS determination, applicants must file Notice of Application for Review

within seven calendar days of receipt of notification to the affected party of DHS’ Finding, Determination, or Order

“Orders typically are stayed from the time of the filing of a Notice of Application for Review until the Presiding Office issues an Initial Decision”

Appeals If an affected party disagrees with the Initial Decision received in the adjudication process, it

has the right to appeal that decision to the Under Secretary

14

Chemical-terrorism Vulnerability Information

Chemical-terrorism Vulnerability Information (CVI) CVI is an information handling regime established for the maintenance, safeguarding, and

disclosure of the certain information and records related to the CFATS regulatory regime, including:

• Security Vulnerability Assessments

• Site Security Plans

• Documents related to the review and approval of SVAs and SSPs

• Alternate Security Plans

• Documents related to inspections or audits, etc.

• Other similar documents

All CVI materials must be appropriately marked, handled, and stored

Eligible Persons to use CVI The following classes of people may use CVI if they have a need to know:

• Facility employees

• Federal employees, contractors, and grantees

• State/local government employees

CVI access will include training and certification

Violation of CVI Violation of CVI is grounds for a civil penalty and other enforcement or corrective action by

DHS and appropriate personnel actions for Federal employees

15

Review and Preemption of State Laws and Regulations

Preemption

No law, regulation, or administrative action of a State or political subdivision thereof shall have any effect if such conflicts with, hinders, poses an obstacle to, or frustrates the purposes of this regulation or of any approval, disapproval, or order issued thereunder

Review of State Laws

DHS may review State laws, administrative actions, or opinions or orders of a court under State law and regulations submitted under this section, and may offer an opinion whether the application or enforcement of the State law or regulation would conflict with, hinder, pose and obstacle to or frustrate the purposes of this Part

DHS may issue an opinion on any question regarding preemptions

DHS will always seek the views of the State or local jurisdiction whose laws may be affected by the review