Chemical Security Quarterly, January 2020

View as a webpage

ChemSec-Banner-Quarterly

Volume 5, Issue 4

CFATS 2019 Year In Review

2019 was an exciting year for the Chemical Facility Anti-Terrorism Standards (CFATS) program and chemical security in general. Thank you to our many industry partners who have so closely worked with CISA to enhance the culture of chemical security across the country and the world. Some highlights from 2019 include:

January: While the beginning of the year was a little slower with the partial government shutdown, Congress and President Trump reauthorized the CFATS program for 15 months to avert any lapse in the regulation.

February and March: With CFATS reauthorized and the federal government funded, CISA ramped back up into full gear, quickly catching up on the missed inspections and continuing momentum.

April: Due to the hard work and initiative of the more than 150 Chemical Security Inspectors and other Regional Office personnel, CISA beat our projected outreach goals to Local Emergency Planning Committees (LEPCs) recommended by the Government Accountability Office (GAO).

May: The Office of Management and Budget (OMB) approved CISA’s information collection request to expand the CFATS Personnel Surety Program (PSP) to all high-risk chemical facilities, including those in Tier 3 and 4. This was a critical step to ensure that all affected individuals are vetted against the Terrorist Screening Database (TSDB) and closed the gap in the CFATS program.

June: In June, CISA co-chaired a meeting of the G7 Global Partnership Against the Spread of Weapons and Materials of Mass Destruction's Chemical Security Working Group at the Organization for the Prohibition of Chemical Weapons in The Hague.

July: July was a full month as we cosponsored the 2019 Chemical Sector Security Summit in New Orleans, Louisiana with the Chemical Sector Coordinating Council; began implementing PSP at Tier 3 and 4 facilities; and launched the internal Inspection Audit Program, which is aimed at ensuring consistency in how CISA inspects CFATS facilities. The Summit was a huge success—despite the efforts of Hurricane Barry—as industry owners and operators, CISA leadership, government officials, first responders, and law enforcement met in-person and via webcast to discuss and share the latest in chemical security.

October: CISA, the FBI, DOD, and INTERPOL convened the second Global Congress on Chemical Security and Emerging Threats in Lyon, France. More than 200 individuals from 40 countries participated in in-depth discussions of the chemical terrorism threats faced around the globe. Subject matter experts included law enforcement, government, international organizations, academia, and chemical industry leaders.

December: The importance of CISA’s chemical security work was once again recognized by Congress, which passed a 2020 budget totaling $75.51 million for the chemical security program.

The threat of chemical terrorism remains constant. CISA is looking forward to enhancing our chemical security efforts in 2020 as we continue to work with government and industry partners to secure the chemical supply chain and make our nation and communities safer and more secure every day.


Security Advisory for Facilities Possessing Chemicals of Interest

In response to the recent National Terrorism Advisory System (NTAS) Bulletin that highlighted certain cyber operations that have been attributed to the Iranian government, CISA has issued a Bulletin, Enhancing Chemical Security During Heightened Geopolitical Tensions.

The Cybersecurity and Infrastructure Security Agency (CISA) is urging all facilities with chemicals of interest (COI) to consider enhanced security measures to decrease the likelihood of a successful attack. In the bulletin, we outline measures to increase your physical and cyber protection—regardless of whether your facility is tiered under CFATS.

Tiered CFATS facilities are not currently being required to implement the heightened security measures outlined under Risk-Based Performance Standards (RBPS) 13 and 14. CISA is monitoring the intelligence information and will inform high-risk chemical facilities if there are changes that warrant activation of RBPS 13 or 14. 

Additionally, Chemical Security Inspectors (CSI) around the country are available to provide chemical security assistance to facilities with chemicals of interest, including non-tiered facilities. To request further information, please contact your local CSI. To find out who your local CSI is, please email CFATS@hq.dhs.gov with the facility name, location, facility point of contact, contact information (i.e., phone and email), and desired meeting dates. 

CISA offers many additional free resources to strengthen the capacity of stakeholders to achieve their security and resilience mission. Visit the CISA.gov website for additional information and access to resources.

CFATS Program Statistics

To date, CISA has received over 95,000 Top-Screen submissions from over 42,000 facilities. Of these, CFATS covers 3,310 facilities. Additionally, the program has completed 4,144 Authorization Inspections, 5,787 Compliance Inspections, 6,154 Compliance Assistance Visits.

View monthly statistics and more information: www.cisa.gov/cfats-monthly-statistics.


Are You Subscribed to NTAS Advisories via Email?

NTAS Bulletin Logo

The National Terrorism Advisory System (NTAS) is designed to communicate information about terrorist threats by providing timely, detailed information to the American public. It recognizes that Americans all share responsibility for the nation's security and should always be aware of the heightened risk of terrorist attack in the United States and what they should do. As a CFATS facility, you share a part in this responsibility by maintaining awareness of the threat landscape and ensuring security measures are in place to mitigate the risk. Subscribe to NTAS Bulletins and Alerts.


Have You Switched to CISA.gov?

Our former DHS.gov websites will be phased out over the next few months and we have officially switched to CISA.gov. Here are some tips to make sure you are up-to-date:

Back to top

RBPS Spotlight: 13 (Elevated Threat) and 14 (Specific Threat)

RBPS 13 - Elevated Threats - Escalate the level of protective measures for periods of elevated threat.

The “Elevated Threats” Risk-Based Performance Standard (RBPS) addresses the need to escalate the level of protective measures at your facility for periods of elevated threat as designated by CISA. RBPS 13’s purpose is to enhance facility and operational security, while reducing the likelihood of a successful attack, through the implementation of scalable security measures and actions in response to the National Terrorism Advisory System (NTAS). As a part of RBPS 13, facilities maintain a set of documented security procedures and measures that can be easily implemented in response to a change in the NTAS level. By maintaining the ability to increase security measures, the facility does not have to expend time and resources on more vigorous security measures unless and until warranted. Properly responding to and implementing appropriate security measures in response to different threat levels may significantly improve a facility’s capability to deter, detect, and delay an attack.

If an NTAS alert warrants the implementation of escalated security measures, CISA will notify facilities of the required steps to take to bolster their layered security approach. Examples of security measures that facilities may take during times of elevated threat could include:

  • Coordinating necessary security efforts with federal, state, and local law enforcement agencies
  • Preparing to execute contingency procedures or exercising response plans
  • Adding additional barriers at vehicle access points and around critical assets and restricted areas
  • Extending physical protection of vulnerable points
  • Increasing personnel and vehicle screening inspections
  • Increasing roving patrols

RBPS 14 - Specific Threats, Vulnerabilities, or Risks - Address specific threats, vulnerabilities or risks identified by the Assistant Secretary for the particular facility at issue.

A high-risk chemical facility may face threats or vulnerabilities that were not identified in the facility’s initial security vulnerability assessment. In some instances, new information about a threat, vulnerability, risk, or a new situation or information may come to the attention of the facility, CISA, or state or local authorities with responsibility for security. Addressing these previously unidentified, unrecognized, and/or specific facility threats, vulnerabilities, or risks is imperative to maintaining the security of the facility.

RBPS 14, when activated, requires the implementation of scalable security measures and actions in response to the newly identified threats. Essentially, CFATS is requiring that any high-risk chemical facility address any and all threats, vulnerabilities, and risks specific to that facility, as identified by CISA, in order to decrease the likelihood of a successful attack on its facility, personnel, products, or community.


Compliance Close-Up: Updating your SVA/SSP in CSAT 2.0 for the First Time

Several years ago, CISA released the Chemical Security Assessment Tool (CSAT 2.0), which streamlined the CFATS online processes, including the Security Vulnerability Assessment (SVA)/Site Security Plan (SSP) survey. As facilities update their SSPs for various reasons (for example, to implement the Personnel Surety Program or address a new chemical of interest), they may be encountering the new tool for the first time since its deployment. While almost all the information that facilities have previously submitted is pre-populated into the new survey, there are a few portions that a facility will need to review and possible update.

General Reminders

  • Facilities will see questions that address Risk-Based Performance Standard (RBPS) 12(iv), screening for terrorist ties. Questions Q3.50.330 through Q3.50.550 allow facilities to identify the option(s) chosen and measure(s) used to implement those options for compliance with RBPS 12(iv). CISA has a variety of resources to help facilities respond to these questions in the Personnel Surety Program Toolkit.

  • Ensure you review any planned measures that were in your previously approved SSP. These measures should either be transferred as existing measures or updated as planned measures with an appropriate timeline.

    • When you update your SSP to remove completed planned measures and add them in as measures that are now in place, remember to check and update any references you may have made to those measure in other sections or questions, such as in the additional information text box.

  • While many facilities manage aspects of their SSP, such as cybersecurity, at the corporate level, the facility itself still maintains the security measures onsite. Ensure that your facility is incorporating those measures into the SSP, specifically for cybersecurity measures, and taking credit for these capabilities.

  • If there has been an increase in tier or new chemical of interest at your facility since your last update, ensure you address the changes, assess how they impact your overall security, and provide adequate detection and delay security measures. This may include the addition of new planned measures.

  • The improved SVA allows facilities to define critical assets, which allow for streamlined responses in the section of the SSP where facilities are asked to select whether a certain detection and delay measure applies to the perimeter and/or critical assets. Remember to review and revisit the Detect and Delay questions in the SSP to correctly identify the location(s) to which each security measure applies.
Intrusion Detection Systems Photo

When you revise the SVA/SSP in CSAT 2.0 for the first time, there are several new questions you will need to answer. In the SVA, these questions include reviewing the currently tiered Chemical of Interest (COI), voluntarily adding non-tiered COI, and identifying COI use, critical assets, and overall security measures and vulnerabilities.

In the SSP, new questions that facilities will need to address include:

  • Q3.10.050 Personnel Presence
  • Q3.10.400 through Q3.10.420 Inventory Controls
  • Q3.40.400 through Q3.40.430 Cyber Control and Business Systems
  • Q3.50.320 Personnel Surety, Types of Affected Individuals
  • Q3.50.710 Recordkeeping Affirmation*

*This question alone replaces 15 questions in the previous survey!

Questions about the compliance process? Contact the Help Desk at CSAT@hq.dhs.gov.


Compliance Corner: Questions About Personnel Surety Program

Are you planning for or in the process of implementing the CFATS Personnel Surety Program? Visit the PSP Toolkit, a one-stop shop for all your PSP needs.

  • Take a few moments to watch and listen to the PSP webinar that walks you through the steps required to update your security plan as well as the steps to submit affected individual’s names using the CSAT PSP tool.
  • Review the Sample Supplement to find out what questions you will be required to answer when updating your security plan.
  • View a Sample Privacy Notice or a Sample Bulk Upload template.
  • Share the PSP Fact Sheet with other personnel at your facility that have a part in PSP implementation.

As always, if you have questions, contact your local Chemical Security Inspector or the Help Desk at CSAT@hq.dhs.gov.

Back to top

Request for Assistance

We are committed to helping facility personnel understand and comply with CFATS. If you have any questions, reach out to our team of CFATS experts.

Request a CFATS Presentation to learn about the program—from submitting a Top-Screen to editing a security plan: www.cisa.gov/request-cfats-presentation.

Request a Compliance Assistance Visit to learn how to prepare for CFATS-related Inspections: www.cisa.gov/request-compliance-assistance-visit.

Meet your local Chemical Security Inspector (CSI) to develop partnerships and for assistance. Contact your CSI by emailing CFATS@hq.dhs.gov.

Call the CFATS Help Desk for technical support on the CSAT Portal or CFATS-related applications. Call 1-866-323-2957 Monday-Friday 8:30am to 5:00pm EST, or email CSAT@hq.dhs.gov.

Web Resources 

Chemical Security: www.cisa.gov/chemical-security

CFATS Homepage: www.cisa.gov/cfats

CFATS Process: www.cisa.gov/cfats-process

CSAT SSP Revisions & tips: www.cisa.gov/csat-ssp-submission-tips

CFATS Knowledge Center is a repository of FAQs, latest news, and resources: https://csat-help.dhs.gov