Chemical Facility Anti-Terrorism Standards (CFATS) Mystic REPC October 23, 2018
The CFATS Regulation The CFATS program identifies and regulates high-risk chemical facilities to ensure they implement appropriate security measures to reduce the risk of a terrorist attack associated with more than 300 chemicals of interest (COI). If held in specified quantities and concentrations, these chemicals must be reported to DHS. Facilities that store, manufacture, or distribute COI at or above screening threshold quantities (STQ) are required to comply with the CFATS standards. CFATS follows a risk-based approach, allowing DHS to focus on high-risk chemical facilities in accordance with their specific level of risk
Essentials of the CFATS Program DHS uses information submitted through an online survey (Top-Screen) to determine if a facility is high-risk High-risk (i.e., covered) facilities are placed in 4 tiers. Tier 1 represents the highest risk Covered facilities are required to develop and implement security plans that meet applicable risk-based performance standards (RBPS) More than 3,000 facilities have eliminated, reduced, or modified their holdings and/or processes and are no longer considered high-risk
If the facility receives a tier… The CFATS Process Submit Top-Screen Provide a Security Vulnerability Assessment (SVA)/Complete Site Security Plan (SSP) or Alternative Security Plan (ASP) Receive Authorization and an Authorization Inspection Receive Approval of the SSP/ASP Implement Planned Measures and Undergo Regular Compliance Inspections If the facility receives a tier… Facility may be tiered in or drop out Receive a Tier (1-4) or be deemed not high-risk All facilities with COI High-risk facilities DHS provides compliance assistance upon request at any stage of this process More than 150 Chemical Security Inspectors are available for support across the country
Industries with Facilities Regulated by CFATS CFATS regulates facilities in various industries, including: Academia (College & Universities) Aerial Sprayers (Non-Fertilizer) Breweries Cold Chain/Refrigeration Energy Utilities Fisheries and Hatcheries Food Processors and Co-Ops Healthcare (Hospitals & Providers) Laboratories Metal Service and Metal Merchants Mining Motor Vehicle Parts Manufacturing Paints/Coatings Petrochemical Manufacturing Petroleum Refining/Oil Drilling Plastics Pulp and Paper Race Tracks Retail Storage and Distribution Semiconductors Water Parks, Pools, and Filtration Wineries AN H202 CI NH3
Region 1 and Massachusetts Snapshot CFATS Covered Facilities Entire CFATS Program 3,365 Region 1 142 Massachusetts 71 Member Communities with covered facilities 7 Massachusetts is part of Region 1, which includes Vermont, Rhode Island, Maine, New Hampshire, and Connecticut. There are six Chemical Security Inspectors, one Chief of Regulatory Compliance, and one Regulatory Analyst in Region 1. All statistics are current as of October 2018
CFATS National Footprint - Puerto Rico (Region 2) - Hawaii (Region 9) - Guam (Region 9) Region 1 Region 2 Region3 Region 6 Region 7 Region 8 Region 9 Region 10 Region 4 Number of Approvals, by State 0 1-10 11-20 21-30 30+ Region 5 Region 5
Risk-Based Performance Standards RBPS-8 Cyber RBPS-13 Elevated Threats RBPS-14 Specific Threats, Vulnerabilities, or Risks RBPS-1 Restrict Area Perimeter - Under the CFATS Act of 2014, a CFATS-covered facility must submit for DHS approval an SSP or, if the facility chooses, an ASP that contains security measures that meet all applicable RBPS developed by DHS. RBPS are non-prescriptive, and thus provide facilities with substantial flexibility, including the ability to leverage existing measures where appropriate. CFATS currently has 18 RBPS, addressing areas such as perimeter security; shipping, receipt, and storage; cybersecurity; personnel surety; training; and recordkeeping. - Compliance with the RBPS will be tailored to fit each facility’s circumstances, including tier level, security issues, and physical and operating environments. Consequently, measures appropriate to meet an RBPS for one type of facility will not necessarily be appropriate for anther type of facility (e.g., DHS would not expect a covered university to necessarily employ the same type of measures as a large chemical manufacturer). Expedited Approval Program Rather than prescribe specific security measures, DHS developed 18 risk- based performance standards (RBPS) Compliance with the RBPS will be tailored to fit each facility’s circumstances, including tier level, security issues, and physical and operating environments
RBPS 9 – Response Develop and exercise an emergency plan to respond to security incidents internally and with assistance of local law enforcement and first responders. Response focuses on the planning to mitigate, respond, and report incidents in a timely manner between facility personnel, first responders, and law enforcement Local Emergency Planning Committees (LEPC) may be contacted by local Chemical Security Inspectors to verify that facilities have developed plans for emergency notification, response, evacuation, etc. IP Gateway (EO Portal) – A DHS platform to share and coordinate CFATS information among Federal, State, local, territorial, and tribal (SLTT) agencies partners.
RBPS 9 – Response Cont. What are some possible facility security components related to RBPS-9? Crisis Management Plan Communication Systems Process Safeguards Outreach What are some activities a facility may want to include in its Crisis Management Plan? Contingency Plans Continuity of Operations Plan Emergency Response Post-incident Security Evacuation Notification Control Re-entry Security Response
RBPS 9 – Response Cont. The work that high-risk chemical facilities do with first responders and law enforcement to ensure emergency response measures are in place prior to an incident bolsters our nation’s security.
Spreading the Word DHS continues to expand outreach efforts and reach deeper into communities Increasing Federal, state, local, tribal, and territorial interagency coordination Communicating directly with facilities and corporations Participating in industry association meetings and conferences Working with communities and first responders
Critical Infrastructure Training Resources DHS offers a wide array of free tools and resources to government and private sector partners to enable the critical infrastructure security and resilience mission. Visit: https://www.dhs.gov/critical-infrastructure-resources to access: Cross-Sector Resources: Suspicious Activity Reporting Tool, Active Shooter Preparedness, etc. Sector-Specific Resources: DHS Sector-Specific Agencies (SSAs), Co- SSAs, and Other Department SSAs Assessment Resources: Cybersecurity Evaluation Program (CSEP), Regional Resiliency Assessment Program (RRAP), etc. You can also access FEMA training by visiting: https://www.dhs.gov/critical-infrastructure-training *NEW SLIDE*
Chemical Sector Training Resources DHS has developed a series of Web-based security awareness training courses for the critical infrastructure community and the Chemical Sector Advance your security awareness by completing training courses: How to Counter Insider Threats How to Prepare For and Respond to an Active Shooter Situation Access these security training courses by visiting: https://www.dhs.gov/chemical-sector-training *NEW SLIDE*
What is the IP Gateway? The IP Gateway is centrally-managed repository of data and capabilities, and allows stakeholders to easily access, search, retrieve, visualize, analyze, and export infrastructure data from multiple sources. DHS established the IP Gateway to improve Federal agency information sharing and coordination among Federal, State, local, territorial, and tribal (SLTT) agencies partners. *NEW SLIDE* IP Gateway maintains three layers of information protection: Protected Critical Infrastructure Information (PCII) Chemical-terrorism Vulnerability Information (CVI) For Official Use Only (FOUO)
CFATS and the IP Gateway Through the IP Gateway, CFATS data is available in a FOUO layer and a CVI layer to authorized Federal, SLTT, and first responders with an established “need-to-know” as determined DHS. FOUO access allows users to view information on a chemical facility (such as name, location, and geospatial information) within their State, county, and surrounding counties, whereas CVI access includes additional information, such as CFATS tiers. How do I gain access to the IP Gateway? To request access, contact your ISCD Chief of Regulatory Compliance by calling the Chemical Security Assessment Tool (CSAT) Help Desk 1-866-323-2957 or email CSAT@dhs.gov. *NEW SLIDE*
Protective Security Advisors proactively engage with government partners and the private sector to protect critical infrastructure. For more information or to contact your local PSA, e-mail NICC@hq.dhs.gov. The Ready Campaign provides help with planning for businesses at http://www.ready.gov/business. DHS Active Shooter resources are available at http://www.dhs.gov/active-shooter-preparedness. “If You See Something, Say Something™” http://www.dhs.gov/see-something-say-something. Nationwide Suspicious Activity Reporting (SAR) Initiative (NSI) information is available at https://nsi.ncirc.gov/. SAR training for private sector partners is located at https://nsi.ncirc.gov/hsptregistration/private_sector/. Counter-Improvised Explosive Device information and resources are available at www.dhs.gov/tripwire. InfraGard is a public-private partnership between the FBI and the private sector that represents individuals from businesses, academic institutions, State and local law enforcement, fire and EMS agencies, as well as other participants dedicated to sharing information, education, and intelligence. Please go to www.infragardmembers.org and https://www.infragard.org. Information on DHS cybersecurity programs is available at www.dhs.gov/cyber. To find out more about the Cybersecurity Awareness Campaign, go to http://www.dhs.gov/stopthinkconnect. For tips from the U.S. Computer Emergency Response Team, go to https://www.us-cert.gov/ncas/tips.
Fran Patno Chemical Security Inspector francis.patno@hq.dhs.gov