|
Chemical Security Quarterly - June 2021 |
|
CISA's New Chemical Security Associate Director
The Cybersecurity and Infrastructure Security Agency (CISA) has selected Kelly Murray to serve as the new Associate Director for Chemical Security. In this role, Kelly will oversee the Chemical Facility Anti-Terrorism Standards (CFATS) program, proposed Ammonium Nitrate Security Program, and voluntary chemical security initiatives. Kelly has been with CISA’s Chemical Security team since 2008, where she rose through the ranks, having served previously as a Section Chief and Branch Chief, and most recently as the Acting Deputy Associate Director for Chemical Security.
Kelly brings a wealth of knowledge and experience in chemical security to the position. Over the last 13 years, she has been integral not only to developing and implementing the CFATS program, but also to growing the extensive stakeholder relationships across CISA’s critical infrastructure partners.
Prior to joining the Department of Homeland Security, Kelly was a government consultant who worked with the Federal Emergency Management Agency on disaster recovery and reconstitution efforts after Hurricane Katrina. She also worked with the Department of Defense on exercises, mobility and logistics, and war plans.
Kelly earned a bachelor’s degree from Indiana University in mathematics with minors in Information Technology, Economics, and Spanish, and recently graduated from the Federal Executive Institute.
As Kelly assumes the Associate Director role, Todd Klessman will resume his role as the Deputy Associate Director for Chemical Security. If you have any questions, feel free to reach out to CFATS@hq.dhs.gov.
|
|
|
 Transportation Worker Identification Credential Recommendations
CISA shared best practices concerning the use of Transportation Worker Identification Credentials (TWIC®). Read more about the best practices below.
|
CFATS Information Collection Requests
CISA recently published two notices in the Federal Register requesting approval to continue collection of information pertaining to the CFATS regulation. Read more about the notices below.
|
|
2021 Chemical Security Seminars
The Chemical Security Seminars, hosted by the Cybersecurity and Infrastructure Security Agency (CISA) in collaboration with the Chemical Sector Coordinating Council (SCC), will take place virtually via Microsoft Teams Live on December 1, 8, and 15 from 11:00am-3:00pm ET (8:00am-12:00pm PT). The Chemical Security Seminars are the signature industry event for representatives across the chemical and interconnected sectors—including energy, communications, transportation, and water—to learn, share perspectives, and engage in dialogue on chemical security. Event registration will be available in the weeks ahead.
|
Transportation Worker Identification Credential (TWIC®) Recommendations
CISA is committed to working with our stakeholders to protect the nation’s highest-risk chemical infrastructure. As part of our ongoing collaboration with the Transportation Security Administration (TSA), CISA shared best practices concerning the use of Transportation Worker Identification Credentials (TWIC®) with high-risk chemical facilities under the CFATS program that use visual verification to fulfill Risk-Based Performance Standard (RBPS) 12(iv) – Screening for Terrorist Ties. While facilities are authorized under the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014 (6 U.S.C. §§ 621-29) to visually verify TWIC® cards to comply with RBPS 12(iv), TSA and CISA strongly recommend electronic inspection of TWIC® cards. CISA is also aware that other facilities that are not currently high-risk under the CFATS program may also visually verify TWIC® cards.
To ensure that TWIC® cards are valid and up to date, TSA and CISA recommend that facilities:
- Use the TWIC® Advanced Digital Visual Inspection Solution for Revocation (TWIC® ADVISR™) for Android™ and iOS devices. This mobile application is not a TWIC® card reader, but rather a downloadable application that uses the TWIC® Canceled Card List (CCL)to determine if a TWIC® card presented to the user is active or canceled.
- If not using TWIC® ADVISR™, facilities can visually check that the TWIC® has not been cancelled against the CCL by visiting the Canceled Card Lists webpage and verifying that the Credential Identification Number (CIN) displayed on the back lower-left corner of the TWIC® is NOT listed on the CCL. The CCL list is updated every 24 hours. For more information on the CCL, please visit the TSA TWIC webpage.
CFATS Information Collection Requests
CISA has recently published two notices in the Federal Register requesting approval to continue collection of information pertaining to the CFATS regulation, as well as proposing several minor updates to reflect passage of the Cybersecurity and Infrastructure Security Act of 2018, 6 U.S.C. §§ 651-74, and a clearer description of the scope of each Information Collection Request (ICR). CISA is not proposing changes to the scope of what information is collected in either ICR.
- On June 29, CISA published a corrective notice in the Federal Register (86 FR 34267) that corrected the instructions on how to submit comments, the length of time the comment period would be open, the number of comments received for the 60-day Federal Register notice, and the phone number for the point of contact to the 30-day notice (86 FR 32953) regarding Information Collection Request (ICR) 1670-0014. The 30-day notice solicited public comment on a revised ICR 1670-0014 that supports several efforts under the CFATS program, such as redeterminations, compliance assistance, and verifying information submitted on Top-Screens (i.e., sale of a facility or removal of COI), among others. The comment period closes on July 29, 2021, which is earlier than the previously published incorrect date of August 23, 2021.
- On June 23, CISA issued a 60-day notice in the Federal Register (86 FR 32960) soliciting public comments on revised ICR 1670-0029, which supports CISA’s ability to collect information about certain individuals with, or seeking access to, restricted areas or critical assets at high risk chemical facilities for vetting against the Terrorism Screening Database (TSDB).
Visit the CFATS rulemaking webpage to view rules and Federal Register notices regarding CFATS and eCFR.gov to view all final rulemakings. If you have any questions, feel free to email CFATS@hq.dhs.gov.
|
|
Cyber Alert: Darkside Ransomware
CISA and the Federal Bureau of Investigation (FBI) released Cyber Alert (AA21-131A) DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks urging critical infrastructure asset owners and operators to adopt a heightened state of awareness and implement the recommendations listed in this advisory to help protect them against malicious activity.
New CISA Infrastructure Security Twitter Account
CISA’s Infrastructure Security Division is now on Twitter! Follow our new account at twitter.com/CISAInfraSec. We’ll be posting about new releases, reports, and updates related to infrastructure security. |
|
 |
CFATS Program Statistics
To date, CISA has received over 101,000 Top -Screen submissions from over 42,000 facilities. Of these, CFATS covers 3,298 facilities. Additionally, the program has completed 4,385 Authorization Inspections, 7,424 Compliance Inspections, and 9,246 Compliance Assistance Visits.
View monthly statistics on the CFATS Monthly Statistics webpage.
|
|
Practicing Good Cyber Hygiene
 When it comes to cyber hygiene at CFATS regulated facilities, CISA wants to ensure facilities are meeting the RBPS standards. Among other things, cyber systems at chemical facilities control sensitive processes, grant authorized access, and enable business operations. Cyber hygiene requires facilities to think proactively about their cyber security posture so they can be able to resist cyber threats and mitigate online security issues. Good cyber hygiene habits help organizations to maintain strong and secure networks and stay safe online. It also enables them to make good decisions about their smart devices whether they are at home or work.
In 2020, it was reported that 79% of organizations were hurt by their lack of cyber hygiene preparedness. Here are a few tips to help regulated facilities secure their critical business, physical security, and control systems:
- Conduct regular cybersecurity awareness training with employees and contractors who work with cyber assets.
- Implement password management protocols to enforce password structures, change all default passwords (where possible), and implement physical controls for cyber systems where changing default passwords is not technically feasible.
- Maintain account access control utilizing the least privilege concept, maintain access control lists, and ensure that accounts with access to critical/sensitive data or processes are modified, deleted, or deactivated immediately when the user leaves or no longer requires access.
- Require multifactor authentication to access critical business systems.
- Double-check identity when accessing common cloud services.
- Define allowable remote access, such as use of Virtual Private Networks (VPN) and firewalls as well as rules of behavior for remote access issues.
- Regularly patch and update software for known vulnerabilities. Microsoft offers Patch Tuesday where they regularly release software patches for their software products.
- Integrate backup power for all critical cyber systems should an emergency or incident occur.
- Use network segmentation.
- Inventory hardware and software on your network.
- Secure company-issued and employee-owned devices- routers, phones, computers, and printers.
If a cybersecurity incident occurs at your facility, report it to CISA Central at central@cisa.gov.
Reminder: Complete Your Annual Audit
Under 6 C.F.R. § 27.225(e), facilities are required to conduct an annual audit of their approved security plan. The first audit should be completed within 12 months after Site Security Plan (SSP)/Alternative Security Plan (ASP) approval and subsequent audits should be completed annually thereafter. Periodically assessing the security measures in a facility’s security plan is a critical component in maintaining an effective security plan. A facility’s annual audit is a great time to:
- Ensure the plan continues to meet its goals and is effective
- Confirm that all the information is up to date
- Identify any security gaps and corresponding mitigation measures
- Review the implementation of planned measures
- Review roles and responsibilities
Additionally, RBPS 18 – Records requires that facilities maintain documentation of the annual audit, including:
- Date of the audit
- Results of the audit
- Name(s) of individuals who conducted the audit
- Letter (or similar document) certified by the facility with the date that the audit was conducted
Download the RBPS 18 Sample Record (i.e., Record of SSP/ASP Audit) from the RBPS 18 – Records webpage.
New and Updated Resources
We are committed to helping facility personnel understand and comply with CFATS. If you have any questions, reach out to our team of CFATS experts.
Request a CFATS Presentation to learn about the program—from submitting a Top-Screen to editing a security plan.
Request a Compliance Assistance Visit to learn how to prepare for CFATS-related inspections.
Meet your local Chemical Security Inspector (CSI) to develop partnerships and for assistance. Contact your CSI by emailing CFATS@hq.dhs.gov.
Call the CSAT Help Desk for technical support on the CSAT Portal or CFATS-related applications. Call 1-866-323-2957 Monday-Friday 8:30am to 5:00pm ET, or email CSAT@hq.dhs.gov.
Bookmark Our URLs
Chemical Security | CFATS Homepage | CFATS Process | CSAT SSP Submission Tips
The CFATS Knowledge Center is a repository of FAQs, latest news, and resources.
|
|
|
|
|
