Securing the Chemical Sector: An Outline of the Chemical Security Program December 4, 2007
Agenda Chemical Facility Anti-Terrorism Standards (CFATS): An Overview Appendix A Risk Based Performance Standards (RBPS) Chemical Security Analysis Tool (CSAT) Chemical-terrorism Vulnerability Information (CVI) Roll Out
Chemical Facility Anti-terrorism Standards (CFATS): Overview Section 550 of the DHS Appropriations Act of 2007 gave the Department the authority to regulate the security of “high risk” chemical facilities. DHS was given 6 months to plan, build, and implement a complex and extensive new regulatory regime. DHS first put a proposed version of the rule out for public comment in December 2006. DHS reviewed comments received and incorporated many into the Interim Final Rule. The DHS final chemical facility security regulatory regime—the Chemical Facility Anti-Terrorism Standards (CFATS) Interim Final Rule—was published on April 9, 2007, and went into effect on June 8, 2007. CFATS is risk-based and requires covered facilities to fulfill certain risk based performance standards on security.
Chemicals of Interest: Appendix A DHS will identify the universe of potentially high risk facilities using its Chemicals of Interest (COI) list or Appendix A. A chemical facility that possesses any Appendix A chemical at or above its screening threshold quantity (STQ) must complete and submit a CSAT Top-Screen to DHS. Appendix A was out for public comment until May 9, 2007, and DHS received thousands of comments that influenced the final Appendix A, published on November 20, 2007. The final version of Appendix A will enable DHS to meet its mandate and also facilitate industry compliance.
CFATS and Risk Based Performance Standards (RBPS) RBPS serve as the security building blocks for the CFATS program. RBPS drive the security performance at facilities in each of the four risk-based tiers. RBPS provide facilities with flexibility and allow for the use of existing measures, ideas and expertise. RBPS cover various aspects of security. A facility only has to meet those RBPS that apply to it. Restrict Area Perimeter Secure Site Assets Screen and Control Access Deter, Detect, and Delay Shipping, Receipt, and Storage Theft and Diversion Sabotage Cyber Response Monitoring Training Personnel Surety Elevated Threats Specific Threats, Vulnerabilities, or Risks Reporting of Significant Security Incidents Significant Security Incidents and Suspicious Activities Officials and Organization Records Additional Performance Standards the Assistant Secretary May Specify
Chemical Security Assessment Tool (CSAT) CSAT is the IT backbone of the CFATS program and has 3 main components. Top-Screen Places a facility in a preliminary tier or determines that it is excluded from the regulation. Security Vulnerability Analysis (SVA) Assesses security measures in place that mitigate or reduce the likelihood of success of an attack on an asset. Site Security Plan (SSP) Captures specific security measures the facility has or will implement to meet the applicable risk-based performance standards (RBPS). User Registration and the Top-Screen are now operational. SVA and SSP will be fully operational and available for use by facilities subject to the regulation by the time these requirements become effective under CFATS. In accordance with the phased approach for CFATS implementation, facilities must first complete and submit Top-Screens prior to developing SVAs and SSPs. The CSAT application designed to screen prospective and current facility personnel with information provided by facilities, the Chemical Security Screening (CSS) tool, is not expected to be released for operation until Spring 2008. The CSS will be available for regulated facilities to submit the names of prospective and/or current personnel by the time this requirement becomes effective.
CSAT Process Overview Yes No 1. Identify Candidate Sites 2. Perform Top-Screen Potentially High Risk Facility?* Non-covered Facilities 3. Assign Preliminary Tier 4. Perform SVA High Risk Facility? No Yes 5. Assign Final Tier 6. Develop SSP 7. Review SSP 8. Implement SSP 9. Perform Inspection Risk- Based Performance Standards DHS Responsibility Owner/Operator Responsibility *Based on consequentiality
Chemical-terrorism Vulnerability Information (CVI) The Advance Notice explained the creation of a new category of information protection, CVI, and set forth the rules governing its maintenance, handling, and disclosure. DHS provides CVI training and certification. All CVI materials must be appropriately marked, handled, and stored. Eligible Persons to use CVI: Facility employees Federal employees, contractors, and grantees State/local government employees Violation of CVI rules is grounds for a civil penalty and/or other enforcement or corrective action by DHS and appropriate personnel actions for Federal employees.
CFATS Roll Out Phase 1 Focuses on potential high risk facilities. CSCD is engaged and working with phase 1a facilities. Phase 2 Any facility with a chemical(s) of interest at or above the STQs in final Appendix A published on November 20, 2007 is required to complete and submit a Top-Screen to DHS by January 22, 2007.
866-323-2957 or csat@dhs.gov CFATS Helpdesk 7am to 7 pm, Eastern Time, Mon. to Fri. Closed Federal Holidays Single entry point for definitive answers to questions regarding CFATS Questions, issues, and calls are escalated and answered by CSCD. The more complex the questions, the longer the time for response. 866-323-2957 or csat@dhs.gov
Ethylene Oxide Ethylene oxide is a Chemical of Interest (COI) under CFATS Ethylene oxide is categorized as a release-flammable COI Release-flammables are chemicals with the potential to create a vapor cloud explosion that would affect populations within and beyond the facility While ethylene oxide is treated as both a toxic and a flammable under EPA RMP, CFATS treats it solely as a flammable COI because, in an intentional release, it is more likely to act like a flammable and create an explosive vapor cloud The STQ for ethylene oxide is 10,000 pounds This means that any facility possessing 10,000 or more pounds of ethylene oxide must complete a Chemical Security Assessment Tool (CSAT) Top-Screen by January 22, 2007 This is the same threshold as the EPA RMP threshold Ethylene oxide in mixtures is treated as a COI under certain conditions If the facility has a flammable mixture which consists of 1% or more ethylene oxide by weight, and has a NEPA flammability hazard rating of 4, the mixture is considered a COI, and the entire weight of the mixture should be counted towards the facility’s STQ for ethylene oxide