Chemical Facility Anti-terrorism Standards (CFATS) Compliance Plan Overview prepared by The Office of Environmental Health & Safety 1
Background In late 2006, Congress passed the Department of Homeland Security Act of In addition to providing money for the Department of Homeland Security (DHS), the law gives DHS the authority to regulate the nation’s highest risk chemical facilities and directs DHS to develop chemical facility security regulations. 2
In 2007, DHS published the regulations (6 CFR part 27), which are known as CFATS. CFATS took effect in 2007 and require “high-risk” chemical facilities to enhance security and establish new procedures for protecting chemical facility security information. Whether a facility is “high risk” is a risk-based determination made by DHS on a facility-by-facility basis. Generally, the type and amount of chemicals that a facility possesses determine whether – and to what extent – a facility is subject to CFATS. 3
The Process When a facility possesses any of the 325 chemicals of interest (COI) at or above the threshold level list in Appendix A; the facility must submit a report to DHS via a secure web portal. This report is known as the Top-Screen. 4
After reviewing the Top-Screen, DHS notifies each facility of their preliminary security risk determination. Facilities that do not “present a high level of security risk” are not subject to CFATS. These facilities have no further regulatory obligation – though a material modification at the facility may prompt further inquiry. (Even when a facility is not regulated, COI should be kept secured.) Facilities that do “present a high level of security risk” are subject to additional review and must complete a Security Vulnerability Assessment (SVA). 5
Facilities that are required to complete a SVA must submit the completed SVA back to DHS within the specific timeline based on their preliminary risk based tier level. There are four risk-based tiers ranging from high (Tier 1) to low (Tier 4). Based on your SVA, DHS will perform a final threat analysis to determine your facility's final tier level. 6
For facilities that are determined to be high- risk, DHS requires each of the facilities to comply with regulatory measures, including developing and implementing a Site Security Plan (SSP) or Alternate Security Plan (ASP), which describes security measures (both physical and procedural). DHS has the authority to impose civil penalties up to $25,000 a day and/or, shut down non- compliant facilities. 7
Any information that is developed and/or submitted to DHS pursuant to CFATS is protected under the Chemical-terrorism Vulnerability Information (CVI) law from inappropriate public disclosure. CVI must be safeguarded at all times and it can not be shared with other, non-CVI users. 8
Process for Compliance 9
OSU faculty and staff need to maintain a chemical inventory in the EHS Assistant web-based chemical inventory system.EHS Assistant Any changes involving COI must be reported to EHS within 30 days of the occurrence. EHS will review the submitted chemical inventories for COI and quantities. If any COI are over threshold limits, EHS will contact PI/ Supervisor to verify the COI and the reported quantity. 10
Upon verification of a COI at or above threshold, EHS will advise the PI that additional security measures should be taken to safeguard the COI. EHS will Perform/Update Top Screen Based upon DHS’s preliminary risk based tier level, EHS may request additional information in order to complete the SVA. If DHS’s final risk determination is that your facility is a high risk facility, EHS will request that you assign a Facility Security Coordinator (FSC) who will work with EHS to develop your ASP/SSP. 11
EHS will complete the ASP/SSP and will discuss security policies and procedures detailed in the plan with the FSC prior to submitting the completed plan to DHS for approval. In the event that DHS does not approve the initial ASP/SSP, EHS in conjunction with the FSC, will modify the plan as needed and re-submit to DHS. 12
Compliance Time Lines If you possess any COI at or above threshold, the Top Screen must be submitted to DHS within 60 days. If required, SVA’s must be submitted within 90 days. If required, SSP’s/ASP’s must be submitted within 120 days. Tier 1 & 2 facilities must re-submit every 2 years. Tier 3 & 4 facilities must re-submit every 3 years. 13
Challenges to Compliance The vast size of the university offers major challenges in the following areas: – Coordination – Communication – Training – Monitoring – Physical Security – Location of Branch Campuses 14
Facilities that have COI’s include: – Hospitals – School of Medicine – School of Veterinary Medicine – Research Labs – Aquatic Facilities – Airport – Motor Pools – Buildings and Grounds – Agriculture Research Facilities 15
For COI users, training will need to be provided to ensure that the knowledge and the tools are available to comply with CFATS. For facility’s over threshold, Facility Security Coordinators (FSC’s) will need to be assigned and trained. It will be necessary to constantly monitor chemical inventories for any changes that impact COI threshold levels. Reviews will need to be conducted to ensure that all plans are kept current and in compliance with the latest regulations. 16
All PI’s and/or Lab managers must use EHS Assistant, which is the web-based chemical inventory system. Using EHS Assistant, PI/Lab managers can update their inventory or other information, respond to questions or correct any questions on their inspections. Inventories must be submitted on a annual basis and PI/Lab managers must certify that they are correct. 17
For additional information, contact: John Sharpe: – Work: – Cell: – 18
Web Sites EHS: EHS Assistant: DHS Chemical Security: shtm shtm 19