Chemical Facility Anti-Terrorism Standards Update Ohio Chemical Technology Council November 12, 2013
Chemical Facility Anti-Terrorism Standards The Chemical Facility Anti-Terrorism Standards (CFATS) regulatory program focuses specifically on security at high-risk chemical facilities The CFATS program identifies and regulates high-risk chemical facilities to ensure they have security measures in place The Department works closely with the private sector and industry to assess risks, implement protective programs, and measure effectiveness Facilities must meet and maintain performance-based security standards appropriate to the facilities and the risks they pose Source: DHS
Origins in a Post-9/11 World For decades, chemical facilities were safe, but not necessarily secure Post 9/11 paradigm shift to security However, many chemical facilities did not voluntarily invest sufficiently in security Senator Corzine proposed Federal legislation six weeks after 9/11 Vehemently opposed by industry; failed to pass Pittsburgh Tribune-Review expos Throughout 2002 & 2003, Reporter Carl Prine walked into chemical facilities around the country with a smile and wave 60 Minutes story (6/13/04) Steve Kroft & Carl Prine walked into many of the same plants, this time with cameras Public groundswell arose for action Pittsburgh Tribune-Review available at Newseum.org Images of Kroft and Pine available on PBS.org
Legislative Development DHS agreed that chemical facility security legislation should be a top priority A successful attack on one of many chemical facilities could cause significant loss of human life Immediately post-9/11, many chemical facilities had woefully insufficient security Simply relying on voluntary industry security efforts was not having a sufficient effect Many Congressmen heeded the call, and various bills were introduced Legislation was supported by the public, Congress, and even industry Multiple detailed bills were proposed but no agreement was reached On October 4, 2006, President Bush signed House Homeland Security Appropriations Bill, which included a provision to give DHS regulatory authority over “high-risk chemical facilities” To implement this new authority, the Department developed the Chemical Facility Anti-Terrorism Standards (CFATS), 6 CFR Part 27
Guiding Principles of the CFATS Program Not all chemical facilities present the same level of risk The most scrutiny should be focused on those that, if attacked, could endanger the greatest number of lives, have the greatest economic impact, or present other significant risks Facility security should be based on reasonable and clear performance standards Facilities should be given flexibility to select site-specific security measures that will effectively address those risks Recognize the progress many responsible companies have made to date and build on that progress Security measures should never compromise safety measures Chemical facility security risks should not be transferred to surrounding communities
Who Is Regulated? Whether CFATS applies to a facility depends on the facility’s unique characteristics, starting with the quantity of Chemicals of Interest (COI) the facility possesses. Potential regulation is not based on the facility type, meaning that many different types of facilities may be subject to CFATS, including: Chemical manufacturers Warehouses and distributors Oil and gas operations Congress did exempt several types of facilities from regulation: Facilities regulated under the Maritime Transportation Security Act (MTSA) or regulated by the Nuclear Regulatory Commission (NRC) Facilities owned or operated by the Departments of Defense or Energy Public water systems and water treatment works Hospitals Semi-conductor manufacturers Colleges and universities
Initiate CFATS Process Complete Top-Screen Complete SVA or ASP Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Facility with Chemicals of Interest (COI) at or above the Screening Threshold Quantity (STQ) recognizes the need to submit a Top-Screen and completes CVI training and CSAT user registration. CFATS Help Desk registers the facility and provides a user ID and password. Facility completes Top-Screen, identifying chemicals and quantities and providing other relevant information. DHS reviews Top-Screen information and determines the facility's Preliminary Tier status or determines that facility is not high risk. DHS sends facility a Preliminary Tier letter and deadline for completing a Security Vulnerability Assessment (SVA) or an Alternative Security Program (ASP for Tier 4 facilities, if they choose). If DHS has determined that the facility is not high risk, the facility is sent a letter releasing it from further regulation. Covered (high-risk) facility completes an SVA or ASP to provide more detailed information about COI and vulnerability to attack. SVA/ASP Review Complete SSP or ASP Authorization Inspection & Approval Step 7 Step 8 Step 9 Step 10 Step 11 Step 12 DHS reviews SVA or ASP information provided and determines either the facility’s Final Tier or that facility is not high risk. DHS notifies the facility of its final status, and tiered facilities are provided deadlines for completing an Site Security Plan (SSP) or ASP. Facility completes an SSP or ASP detailing site-specific security measures to satisfy applicable Risk-Based Performance Standards. DHS reviews SSP or ASP and (a) issues an authorization letter for SSP or ASP and schedules an inspection or (b) issues notice to resolve deficiencies. Failure to resolve deficiencies may result in disapproval. DHS conducts authorization inspection, reviews all available information, and either issues a Letter of Approval for the SSP or ASP or issues notice to the facility to resolve deficiencies. Failure to resolve deficiencies may result in disapproval. If SSP or ASP is approved, DHS conducts compliance inspections on a regular and recurring basis to verify continued compliance with the approved SSP or ASP.
Risk-Based Performance Standards RBPS guidance, though non-prescriptive, exemplifies security measures that covered facilities may wish to consider when developing SSPs or ASPs. Facilities are free to include other measures in their SSPs or ASPs, provided such measures satisfy applicable RBPS. Restrict area perimeter Secure site assets Screen and control access Deter, detect, delay Shipping, receipt, and storage Theft and diversion Sabotage Cyber Response Monitoring Training Personnel surety Elevated threats Specific threats, vulnerabilities, or risks Reporting of significant security incidents Significant security incidents and suspicious activities Officials and organization Records
Program Status: Covered Facilities DHS has received over 46,000 Top-Screens. Of the Top-Screens received and analyzed, DHS issued preliminary tier notification and SVA due dates to over 8,500 facilities. DHS has received over 8,500 SVAs and has reviewed nearly all of them. As of November 4, 2013, CFATS covers 4,321 facilities (3,398 final tiered facilities, 923 preliminarily tiered facilities) across all 50 states. Tier Final Tiered Facilities Facilities Awaiting Final Tier 1 110 12 2 359 50 3 1032 174 4 1897 687 Total 3398 923 All statistics are current as of November 4, 2013
Program Status: Other Results Since the program’s inception, more than 3,000 facilities have voluntarily removed or reduced the onsite quantity of chemical of interest (COI), or modified their processes, to the point that they are no longer considered high-risk
Progress on CFATS Implementation The Department is working to continuously strengthen the CFATS program and improve its implementation Progress in the last year includes: Improving the SSP/ASP review process and increasing the pace of SSP/ASP reviews and approvals Engaging industry in the development of ASP templates Instituting corporate security reviews Completing an external peer review of the CFATS risk assessment methodology Publishing a Federal Register 60- Day Notice on the Personnel Surety Program. The Notice closed on June 4, 2013 Conducting the first Compliance Inspection in September Upcoming: 30-Day Personnel Surety Notice in the Federal Register
Executive Order on Chemical Safety and Security On August 1, 2013, the President issued an Executive Order to improve the safety and security of chemical facilities and reduce the risks of hazardous chemicals to first responders, workers, and communities. The Executive Order directs the Federal Government to: Improve operational coordination with state and local partners; Enhance federal agency coordination and information sharing; Modernize policies, regulations and standards; and Work with stakeholders to identify best practices. DHS, along with the Environmental Protection Agency (EPA) and the Department of Labor (DOL), are serving as co-chairs for the Chemical Safety and Security Working Group. Federal agencies have formed sub-working groups and begun implementing actions of the Executive Order. More information can be found at http://www.whitehouse.gov/the-press-office/2013/08/01/executive-order-improving-chemical-facility-safety-and-security
Executive Order Improving Chemical Facility Safety and Security Comments and questions are also being collected through submission to eo.chemical@hq.dhs.gov EO Listening Sessions November 5, 2013 Texas City, Texas November 15, 2013 Washington, DC November 19, 2013 Springfield, IL November 25, 2013 Webinar December 4, 2013 Hamilton, NJ December 11, 2013 Orlando, FL December 16, 2013 Week of January 8, 2014 California (Tentative) January 14, 2014 Week of January 20, 2014 Houston, TX (Tentative)
Learn More About CFATS CFATS Web site: For CFATS Frequently Asked Questions (FAQs), and other useful CFATS-related information, please go to www.dhs.gov/chemicalsecurity. Presentations and Conferences: DHS is interested in participating in events to provide information and updates on the CFATS program– request a presentation or a chemical security conference booth by e-mailing DHS at CFATS@dhs.gov. CFATS Help Desk: DHS has developed a CFATS Help Desk that individuals can call or email with questions on the CFATS program. Toll-Free number: 1-866-323-2957; e-mail address: csat@dhs.gov.
Frank Blair Chemical Security Inspector, ISCD Frank.Blair@hq.dhs.gov