CFATS: Chemical facility anti-terrorism standards

June 10, 2008
CFATS compliance from Top Screen to the site security plan

No one would deny the importance of protecting our chemical and petrochemical facilities against terrorists and other threats. But putting standards and best practices in place is understandably a lengthy and ever-evolving process. The industry's security leaders need to stay on top of the latest regulations, such as the Chemical Facility Anti Terrorism Standards (CFATS), to be compliant with the law and provide adequate security for their facilities and personnel.

Just over a year ago, on June 8, 2007, the Department of Homeland Security's CFATS Interim Final Rule (IFR) became a Federal Regulation under 6 CFR 27. The IFR along with its Appendix A, Chemicals of Interest (COI), released on Nov. 20, 2007 put in motion the uniform process of assessing our nation's chemical and petrochemical facilities against Risk-Based Performance Standards (RBPS). The purpose is to ensure that "high risk" chemical and petrochemical facilities have the proper security measures in place to prevent the release, theft, diversion, sabotage, or contamination of specific COI, as identified in Appendix A. The impact on the industry will depend on where a company's facility is ranked in the CFATS Tier process.

Under the IFR, if your company or facility manufactures, uses, stores or distributes any COI at the threshold levels identified in Appendix A, your company must have completed an online "Top Screen" using the DHS' Chemical Security Assessment Tool (CSAT) by January 22, 2008. As of March 31, 2008 over 30,000 Top Screens had been submitted and another 7,800 who had requested extensions were due. The DHS expects a total of 42,000 to 45,000 Tops Screens will be submitted before the process is completed.

If you have a facility that would fall under CFATS and you have not completed a Top Screen, it is not too late to do so. But please be aware that if you do not enter the screening process, DHS will be able to identify your facility through state and business record checks they are currently conducting, and will take action under Section 27.300 of the IFR. It also should be noted that if you currently have a facility that is governed under the Maritime Transportation Security Act you are not required to complete a Top Screen.

The DHS is processing all the Top Screens utilizing their computerized CSAT program. This process will place your facility into one of four risk tiers, or remove your facility from the CFATS program all together. It is estimated that of all the Top Screens received, 7,000 to 8,000 of them will be cataloged into one of the four tiers. Of these, it is estimated that approximately 100 will be ranked Tier I (the highest risk facility) and 200 to 300 will be ranked Tier II. The DHS was scheduled to send out all post-Top Screen preliminary letters for all tiers levels via registered mail in mid to late April 2008, however the anticipated delivery for these letters is now July. A facility's tier level is considered confidential and will be classified as Chemical-terrorism Vulnerability Information (CVI). Those facilities that submitted Top Screens but are not considered by DHS to be a security risk threat that would place them in one of the four tiers will be notified by e-mail and also by regular mail. These facilities will not be required to take any further action at this time.

Once you have received your Post Top Screen letter from the DHS, it will give you a specific timeline, based on their preliminary tier level, to complete your security vulnerability assessment (SVA) using the CSAT process. Once you have completed your SVA and submitted it back to DHS a final threat analysis will be performed to determine your facility's final tier level.

The final step in the process is the development of a site security plan (SSP) that will document how your company will meet the requirements of the 18 risk-based performance standards identified in the IFR to protect those items identified in your security vulnerability assessment. The site security plan is also part of the CSAT process and DHS will be issuing a 200-plus page risk-based performance standards guideline this August to assist you in the development of your site security plan. That will be the most difficult step in the process because it may go beyond the individual facility you are trying to protect. You may also have to include the physical location of required records and IT security requirements, if they are housed at a different location, such as your corporate headquarters.

Once you have submitted your site security plan it will be reviewed and compared against the security vulnerability assessment to determine if you have adequately addressed the protection of the facility in accordance with the risk-based performance standards. Upon approval, DHS will provide a letter that becomes your facility's security operating permit. To ensure your company's continued compliance and adherence to your approved plan, DHS field inspectors will conduct periodic in-depth site audits.

As you are most likely aware, CFATS has a sunset date at the end of October 2009, but the majority of chemical/petrochemical professionals believe it is here to stay in one form or the other. The only options that I see is that it becomes law as it is currently written, or with revisions. It also could be replaced by a different set of regulations like those proposed in the Thompson Bill (HR 5577), which would be stricter then the current IFR. The pressure is currently on the DHS to move quickly to show results under the current CFATS IFR. To do this, the DHS' CFATS staff is expanding, as is its budget. Plans call for DHS to have 10 field offices by the end of this year with a staff of 160, and then an increase to 300 in 2009. The 2008 budget is currently at $50 million, with a 2009 projection of $63 million.

As with other critical infrastructures, security requirements for the chemical and petrochemical industry are increasing and becoming more regulated. The final impact this will have on your company is yet to be determined. From my experience in the nuclear utility security industry, I would suggest that your company start to consider security as just another cost of doing business. Making the right choices now in the design of your site security plan will greatly assist you in keeping those costs within reason.

About the author: Richard A. Michau, CPP, is vice president of the chemical/petrochemical division of AlliedBarton Security Services, a premier provider of highly trained security personnel. He can be reached at [email protected].

[Editor's note: Previous versions of this story indicated that facilities governed under the Maritime Transportation Security Act would be required to complete a Top Screen. That is not the case; facilities governed under the Maritime Transportation Security Act will not be required to complete a Top Screen.]