1. Chemical Facility Anti-Terrorism Standards (CFATS)
Mystic REPC
October 23, 2018

2. The CFATS Regulation
The CFATS program identifies and regulates high-risk chemical facilities to ensure they implement appropriate security measures to reduce the risk of a terrorist attack associated with more than 300 chemicals of interest (COI). If held in specified quantities and concentrations, these chemicals must be reported to DHS. Facilities that store, manufacture, or distribute COI at or above screening threshold quantities (STQ) are required to comply with the CFATS standards.
CFATS follows a risk-based approach, allowing DHS to focus on high-risk chemical facilities in accordance with their specific level of risk

3. Essentials of the CFATS Program
DHS uses information submitted through an online survey (Top-Screen) to determine if a facility is high-risk
High-risk (i.e., covered) facilities are placed in 4 tiers. Tier 1 represents the highest risk
Covered facilities are required to develop and implement security plans that meet
applicable risk-based performance
standards (RBPS)
More than 3,000 facilities have
eliminated, reduced, or modified
their holdings and/or processes
and are no longer considered high-risk

4. If the facility receives a tier…
The CFATS Process
Submit Top-Screen
Provide a Security Vulnerability Assessment (SVA)/Complete Site Security Plan (SSP) or Alternative Security Plan (ASP)
Receive Authorization and an Authorization Inspection
Receive Approval of the SSP/ASP
Implement Planned Measures and Undergo Regular Compliance Inspections
If the facility receives a tier…
Facility may be tiered in or drop out
Receive a Tier (1-4)
or be deemed not high-risk
All facilities with COI
High-risk facilities
DHS provides compliance assistance upon request at any stage of this process
More than 150 Chemical Security Inspectors are available for support across the country

5. Industries with Facilities Regulated by CFATS
CFATS regulates facilities in various industries, including:
Academia (College & Universities)
Aerial Sprayers (Non-Fertilizer)
Breweries
Cold Chain/Refrigeration
Energy Utilities
Fisheries and Hatcheries
Food Processors and Co-Ops
Healthcare (Hospitals & Providers)
Laboratories
Metal Service and Metal Merchants
Mining
Motor Vehicle Parts Manufacturing
Paints/Coatings
Petrochemical Manufacturing
Petroleum Refining/Oil Drilling
Plastics
Pulp and Paper
Race Tracks
Retail Storage and Distribution
Semiconductors
Water Parks, Pools, and Filtration
Wineries AN
H202 CI
NH3

6. Region 1 and Massachusetts Snapshot
CFATS Covered Facilities
Entire CFATS Program
3,365
Region 1
142
Massachusetts 71
Member Communities with covered facilities 7
Massachusetts is part of Region 1, which includes Vermont, Rhode Island, Maine, New Hampshire, and Connecticut.
There are six Chemical Security Inspectors, one Chief of Regulatory Compliance, and one Regulatory Analyst in Region 1.
All statistics are current as of October 2018

7. CFATS National Footprint
- Puerto Rico (Region 2)
- Hawaii
(Region 9)
- Guam (Region 9)
Region 1
Region 2
Region3
Region 6
Region 7
Region 8
Region 9
Region 10
Region 4
Number of Approvals, by State
Region 5
Region 5

8. Risk-Based Performance Standards
RBPS-8 Cyber
RBPS-13 Elevated Threats
RBPS-14 Specific Threats, Vulnerabilities, or Risks
RBPS-1 Restrict Area Perimeter
- Under the CFATS Act of 2014, a CFATS-covered facility must submit for DHS approval an SSP or, if the facility chooses, an ASP that contains security measures that meet all applicable RBPS developed by DHS.
RBPS are non-prescriptive, and thus provide facilities with substantial flexibility, including the ability to leverage existing measures where appropriate.
CFATS currently has 18 RBPS, addressing areas such as perimeter security; shipping, receipt, and storage; cybersecurity; personnel surety; training; and recordkeeping.
- Compliance with the RBPS will be tailored to fit each facility’s circumstances, including tier level, security issues, and physical and operating environments.
Consequently, measures appropriate to meet an RBPS for one type of facility will not necessarily be appropriate for anther type of facility (e.g., DHS would not expect a covered university to necessarily employ the same type of measures as a large chemical manufacturer).
Expedited Approval Program
Rather than prescribe specific security measures, DHS developed 18 risk- based performance standards (RBPS)
Compliance with the RBPS will be tailored to fit each facility’s circumstances, including tier level, security issues, and physical and operating environments

9. RBPS 9 – Response
Develop and exercise an emergency plan to respond to security incidents internally and with assistance of local law enforcement and first responders.
Response focuses on the planning to mitigate, respond, and report incidents in a timely manner between facility personnel, first responders, and law enforcement
Local Emergency Planning Committees (LEPC) may be contacted by local Chemical Security Inspectors to verify that facilities have developed plans for emergency notification, response, evacuation, etc.
IP Gateway (EO Portal) – A DHS platform to share and coordinate CFATS information among Federal, State, local, territorial, and tribal (SLTT) agencies partners.

10. RBPS 9 – Response Cont.
What are some possible facility security components related to RBPS-9?
Crisis Management Plan
Communication Systems
Process Safeguards
Outreach
What are some activities a facility may want to include in its Crisis Management Plan?
Contingency Plans
Continuity of Operations Plan
Emergency Response
Post-incident Security
Evacuation
Notification Control
Re-entry
Security Response

11. RBPS 9 – Response Cont.
The work that high-risk chemical facilities do with first responders and law enforcement to ensure emergency response measures are in place prior to an incident bolsters our nation’s security.

12. Spreading the Word
DHS continues to expand outreach efforts and reach deeper into communities
Increasing Federal, state, local, tribal, and territorial interagency coordination
Communicating directly with facilities and corporations
Participating in industry association meetings and conferences
Working with communities and first responders

13. Critical Infrastructure Training Resources
DHS offers a wide array of free tools and resources to government and private sector partners to enable the critical infrastructure security and resilience mission. Visit: to access:
Cross-Sector Resources: Suspicious Activity Reporting Tool, Active Shooter Preparedness, etc.
Sector-Specific Resources: DHS Sector-Specific Agencies (SSAs), Co- SSAs, and Other Department SSAs
Assessment Resources: Cybersecurity Evaluation Program (CSEP), Regional Resiliency Assessment Program (RRAP), etc.
You can also access FEMA training by visiting:
*NEW SLIDE*

14. Chemical Sector Training Resources
DHS has developed a series of Web-based security awareness training courses for the critical infrastructure community and the Chemical Sector
Advance your security awareness by completing training courses:
How to Counter Insider Threats
How to Prepare For and Respond to an Active Shooter Situation
Access these security training courses by visiting:
*NEW SLIDE*

15. What is the IP Gateway?
The IP Gateway is centrally-managed repository of data and capabilities, and allows stakeholders to easily access, search, retrieve, visualize, analyze, and export infrastructure data from multiple sources.
DHS established the IP Gateway to improve Federal agency information sharing and coordination among Federal, State, local, territorial, and tribal (SLTT) agencies partners.
*NEW SLIDE*
IP Gateway maintains three layers of information protection:
Protected Critical Infrastructure Information (PCII)
Chemical-terrorism Vulnerability Information (CVI)
For Official Use Only (FOUO)

16. CFATS and the IP Gateway
Through the IP Gateway, CFATS data is available in a FOUO layer and a CVI layer to authorized Federal, SLTT, and first responders with an established “need-to-know” as determined DHS.
FOUO access allows users to view information on a chemical facility (such as name, location, and geospatial information) within their State, county, and surrounding counties, whereas CVI access includes additional information, such as CFATS tiers.
How do I gain access to the IP Gateway?
To request access, contact your ISCD Chief of Regulatory Compliance by calling the Chemical Security Assessment Tool (CSAT) Help Desk or
*NEW SLIDE*

17. Protective Security Advisors proactively engage with government partners and the private sector to protect critical infrastructure. For more information or to contact your local PSA,
The Ready Campaign provides help with planning for businesses at
DHS Active Shooter resources are available at
“If You See Something, Say Something™”
Nationwide Suspicious Activity Reporting (SAR) Initiative (NSI) information is available at SAR training for private sector partners is located at
Counter-Improvised Explosive Device information and resources are available at
InfraGard is a public-private partnership between the FBI and the private sector that represents individuals from businesses, academic institutions, State and local law enforcement, fire and EMS agencies, as well as other participants dedicated to sharing information, education, and intelligence. Please go to and
Information on DHS cybersecurity programs is available at To find out more about the Cybersecurity Awareness Campaign, go to For tips from the U.S. Computer Emergency Response Team, go to

18. Fran Patno
Chemical Security Inspector