|
Chemical Security Quarterly - Winter 2022 |
|
ChemLock – CISA’s New Voluntary Chemical Security Program
The Cybersecurity and Infrastructure Security Agency (CISA) has launched a new chemical security program, ChemLock. ChemLock is a completely voluntary program that provides facilities with services and tools to help them improve their chemical security posture.
Based on expertise acquired from more than a decade of helping high-risk CFATS facilities enhance their chemical security, the ChemLock program is open to all facilities with dangerous chemicals, regardless of sector. Facilities covered by CFATS can also participate in the ChemLock program. ChemLock’s current offerings include:
-
On-site chemical security assessments and assistance
-
Resources (guidance documents, templates, best practices, and awareness)
-
Exercises and drills
-
Training courses
There are no fees to participate in a ChemLock service or to use its tools.
To learn more about ChemLock, visit www.cisa.gov/chemlock.
The program is currently accepting service requests via its online ChemLock Services Request Form.
If you have questions or would like to discuss if your facility can participate in the voluntary ChemLock program, please contact ChemLock@cisa.dhs.gov.
|
|
|
ChemLock Service Spotlight: ChemLock Resources
Facilities that are not high-risk under CFATS are encouraged to check out ChemLock: Secure Your Chemicals guidance document (PDF, 1.7 MB). This comprehensive security planning resource covers how to develop a layered security plan tailored to a facility’s operating environment. The guidance document is accompanied by a corresponding template (DOCX, 453 KB) that can be downloaded and filled out by facilities as they engage in security planning.
Looking for a cost-effective way to enhance your facility’s security posture? Consider ChemLock’s Security on a Budget, a two-page document which highlights simple, effective, and cost-efficient actions you can take to enhance security at your facility.
Do you have recommendations for resources you and your facility would find useful and informative? Please email us at ChemLock@cisa.dhs.gov.
2021 Chemical Security Seminars: Presentations Now Available
Thank you to everyone who tuned into the 2021 Chemical Security Seminars! These live, virtual events were a great way to continue to engage with our chemical security partners across the nation, while still being mindful of the ongoing pandemic.
The themes for the three weeks included chemical threats and countermeasures, cyber threats and emerging trends, and chemical security planning and preparedness.
|
|
|
Facilities that are required to report their chemicals of interest to CISA as part of the CFATS program do so via the Chemical Security Assessment Tool (CSAT) 2.0. The CSAT 2.0 portal is also the location where facilities review official correspondence and submit any other required documentation, such as site security plans. CISA encourages facilities to periodically review the roles they’ve set for their employees to ensure they’re up to date with current operations and duties.
There are five user roles that a facility can set for their personnel depending on their role so that they can access the CSAT 2.0 Portal: Authorizer, Administrator, Submitter, Preparer, and Reviewer. Each of these roles is designed to assist a facility in setting up their profile to work most effectively for their business operations. For more information about these roles or how to use CSAT 2.0, please see the CSAT Portal User Manual posted on the CSAT webpage.
The Authorizer role can register facilities, invite other individuals to register with CSAT, manage user roles, view surveys, and transfer the Authorizer role to another individual. Note: There can only be one Authorizer per facility.
To receive access to CSAT, an Authorizer must first register on the CSAT Registration webpage. The registration process will allow an Authorizer to register one or more facilities at a time. CISA will validate the registration and notify the user on how to access CSAT. The Authorizer can then invite new or existing CSAT users to gain access to their facility data to complete CFATS requirements.
If a facility has access to the Personnel Surety Program (PSP), see below for additional privileges.
The Administrator role can create facilities and manage users but cannot review any survey information. Note: There can be multiple Administrators per Authorizer.
Users with the Authorizer and Administrator role have user management capabilities that allow them to add, change, or delete users for any CSAT role for that facility.
The Submitter role is responsible for filling out, editing, and submitting the surveys in CSAT, and is the only role that can submit a completed survey to CISA. A Submitter role can also manage the Reviewer and Preparer roles. Note: There can only be one Submitter per facility. An individual can be assigned to the Submitter role for multiple facilities.
The Preparer role fills out or edits the surveys in CSAT but cannot submit a completed survey to CISA. Note: There can be multiple Preparers per facility.
The Reviewer role can view the surveys in CSAT in read-only permission and cannot edit or submit a completed survey to CISA. There can be multiple Reviewers per facility.
CSAT Personnel Surety Program (PSP) User Roles
The PSP tab will only be available to users if your facility is approved to submit affected individuals under PSP and if you have an Authorizer, Administrator, or PSP Submitter role.
Authorizer and Administrator:
-
Can view, edit, and submit information about affected individuals under Option 1 or Option 2 in the Corporation group.
-
Can initiate the user registration process for individuals without an existing CSAT user role and assign them to PSP Submitter role.
-
Can assign an existing CSAT user the PSP Submitter role.
-
Can create and manage user defined fields (UDF) and groups.
-
Can view, edit, and submit information about affected individuals under Option 1 or Option 2 in the group they have been assigned to.
-
Can be multiple PSP submitters per Authorizer.
-
Can only be assigned to one group at a time.
-
Multiple PSP Submitters can be assigned to a group.
|
Compliance Corner: How to Report Suspicious Activity and Security Incidents
Chemical facilities covered under the CFATS program should have in their Site Security Plans (SSPs) protocols regarding the identification and reporting of an incident to appropriate facility personnel, as well as protocols determining whether the incident is “significant” and thus should be reported to appropriate facility personnel, local law enforcement, and/or CISA.
If a significant security incident is detected while in progress, the facility should immediately call local law enforcement and emergency responders via 9-1-1. Similarly, if the event has concluded but an immediate response is still necessary, the facility should immediately call 9-1-1.
As outlined in Risk-Based Performance Standard (RBPS) 15 – Reporting of Significant Security Incidents and RBPS 16 – Significant Security Incidents and Suspicious Activities, once an incident has concluded and any emergency has been addressed, CFATS facilities should report significant cyber and physical incidents to CISA Central at central@cisa.gov.
CISA Central provides the infrastructure for around the clock management and access to critical CISA services for owners and operators.
-
When contacting CISA Central, CFATS facilities should indicate they are “critical infrastructure” and within the Chemical Sector.
-
Facilities should also include a description of the incident, indicate that they are regulated under CFATS, and include the facility identification number (FID) issued to them by CISA when they registered their facility in the Chemical Security Assessment Tool (CSAT).
Make sure you know who your points of contact are! We recommend you keep the following points of contact’s information on hand:
-
Local Nonemergency Number
-
Facility Security Officer
-
Facility Cybersecurity Officer
-
Chemical Security Inspector
|
CISA Urges Organizations to Implement Immediate Cybersecurity Measures to Protect Against Potential Threats
In response to recent malicious cyber incidents in Ukraine—including the defacement of government websites and the presence of potentially destructive malware on Ukrainian systems—CISA has published CISA Insights: Implement Cybersecurity Measures Now to Protect Against Potential Critical Threats (PDF, 270 KB). The CISA Insights strongly urges leaders and network defenders to be on alert for malicious cyber activity and provides a checklist of concrete actions that every organization—regardless of sector or size—can take immediately to:
-
Reduce the likelihood of a damaging cyber intrusion
-
Detect a potential intrusion
-
Ensure the organization is prepared to respond if an intrusion occurs
-
Maximize the organization’s resilience to a destructive cyber incident
CISA urges senior leaders and network defenders to review and implement the cybersecurity measures on the checklist. As of February 24, 2022, tiered CFATS facilities are not being required to implement the heightened security measures under Risk-Based Performance Standards (RBPS) 13 – Elevated Threats and RBPS 14 – Specific Threats, Vulnerabilities, or Risks, of their security plans. CISA is monitoring the intelligence information and will inform high-risk chemical facilities if there are changes that warrant activation of RBPS 13 or 14.
|
CFATS Program Statistics
To date, CISA has received more than 103,000 Top -Screen submissions from over 44,000 facilities. At this time, 3,248 of these facilities are high-risk. Additionally, the program has completed 4,512 Authorization Inspections, 8,662 Compliance Inspections, and 9,840 Compliance Assistance Visits.
We are committed to helping facility personnel understand and comply with CFATS. If you have any questions, reach out to our team of CFATS experts at CFATS@hq.dhs.gov.
Request a CFATS Presentation to learn about the program—from submitting a Top-Screen to editing a security plan.
Request a Compliance Assistance Visit to learn how to prepare for CFATS-related inspections.
Meet your local Chemical Security Inspector (CSI) to develop partnerships and for assistance. Contact your CSI by emailing CFATS@hq.dhs.gov.
Call the CSAT Help Desk for technical support on the CSAT Portal or CFATS-related applications. Call 1-866-323-2957 Monday-Friday 8:30am to 5:00pm ET, or email CSAT@hq.dhs.gov.
Bookmark Our URLs
Chemical Security | CFATS Homepage | CFATS Process | CSAT SSP Submission Tips
The CFATS Knowledge Center is a repository of FAQs, latest news, and resources.
|
|
|
|
|
