Regulatory Puzzle


The Chemical Facility Anti-Terrorism Standards (CFATS) is a federal regulation( 6 CFR 27)  implemented by the U.S. Department of Homeland Security(DHS).  The standards could apply to a facility that manufactures, uses, stores, or distributes certain chemicals at or above a specified quantity listed in Appendix A.

CFATS is a set of risk-based performance standards that require covered chemical facilities to prepare Security Vulnerability Assessments, which identify facility security vulnerabilities, and to develop and implement Site Security Plans, which include measures that satisfy risk based performance standards. It also allows certain covered chemical facilities, in specified circumstances, to submit Alternate Security Programs in lieu of a Security Vulnerability Assessment, Site Security Plan, or both.

There are 10 main categories in the CFATS process:

1. Applicability of CFATS:

CFATS applies to any facility that possesses chemicals at threshold quantities that meet the requirements of Appendix A or any facility that is directed to be regulated under the Assistant Secretary of DHS. 

2. Determining Security Risk

DHS makes determination of whether facilities are regulated depending on the facility’s Top Screen(s), SVA(s), chemical(s) and any other relevant security information. Factors for the final high risk determination include:  the facility’s location, nearby population, the facility’s vulnerability, nature of chemical possessed and contribution.


The CSAT tool is a secure web-based system that facilities utilize to conduct a Top-Screen, Security Vulnerability Assessment (SVA) and Site Security Plan (SSP). The CSAT tool can be accessed only by Chemical-terrorism Vulnerability Information (CVI) certified individuals.

b. Top Screen

A Top-Screen is an information-gathering tool accessed through CSAT that helps DHS identify high-risk chemical facilities subject to the CFATS requirements (6 CFR Part 27). Further, if facilities are subject to CFATS this tool helps DHS determine preliminary tier placements for those facilities. 

c. Risk Based tiers

DHS may determine at any time that a chemical facility presents a high level of security risk based on any information available that indicates a potential that a terrorist attack could result in significant adverse consequences to human life or health, national security or critical economic assets.

Upon determining that a facility presents a high level of security risk, DHS will notify the facility in writing of such a determination and may also notify the facility of its preliminary tier (pursuant to 6 CFR §27.220(a)).

Following the review of a covered facility's SVA, DHS will notify the covered facility of its final placement within a risk-based tier. DHS will then place the covered facilities in one of four risk-based tiers, ranging from highest risk facilities in Tier 1 to lowest risk facilities in Tier 4.

3. Security Vulnerability Assessment (SVA)

After a facility is tiered and DHS had determined it is high risk, the facility must complete a Security Vulnerability Assessment. A Security Vulnerability Assessment will include:

(1) Asset Characterization, which includes the identification and characterization of potential critical assets; identification of hazards and consequences of concern for the facility, its surroundings, its identified critical asset(s), and its supporting infrastructure; and identification of existing layers of protection;

(2) Threat Assessment, which includes a description of possible internal threats, external threats, and internally-assisted threats;

(3) Security Vulnerability Analysis, which includes the identification of potential security vulnerabilities and the identification of existing countermeasures and their level of effectiveness in both reducing identified vulnerabilities and in meeting the applicable Risk-Based Performance Standards;

(4) Risk Assessment, including a determination of the relative degree of risk to the facility in terms of the expected effect on each critical asset and the likelihood of a success of an attack; and

(5) Countermeasures Analysis, including strategies that reduce the probability of a successful attack or reduce the probable degree of success, strategies that enhance the degree of risk reduction, the reliability and maintainability of the options, the capabilities and effectiveness of mitigation options, and the feasibility of the options. 

4. Risk Based Performance Standards (RBPS)

When the SVA is completed and the final tiering letter is issued then the covered facilities must satisfy the RBPS standards in conjunction with completing a Site Security Plan. DHS issued RBPS guidance standards to risk-based tiers of covered facilities to assist facilities in completing their SSP through CSAT.  The guidance helps facilities comply with CFATS by describing in detail the eighteen RBPSs and  providing examples of various security measures and practices that can achieve the desired level of performance for each RBPS at each tier.

Each covered facility must develop a Site Security Plan and implement appropriately risk-based measures designed to satisfy the following performance standards:

  • Restrict Area Perimeter. Secure and monitor the perimeter of the facility;
  • Secure Site Assets. Secure and monitor restricted areas or potentially critical targets within the facility;
  • Screen and Control Access. Control access to the facility and to restricted areas within the facility by screening and/or inspecting individuals and vehicles as they enter, including,
  • Deter, Detect, and Delay. Deter, detect, and delay an attack, creating sufficient time between detection of an attack and the point at which the attack becomes successful, including measures to:
  • Shipping, Receipt, and Storage. Secure and monitor the shipping, receipt, and storage of hazardous materials for the facility;
  • Theft and Diversion. Deter theft or diversion of potentially dangerous chemicals;
  • Sabotage. Deter insider sabotage;
  • Cyber. Deter cyber sabotage, including by preventing unauthorized onsite or remote access to critical process controls, such as Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), Process Control Systems (PCS), Industrial Control Systems (ICS), critical business system, and other sensitive computerized systems;
  • Response. Develop and exercise an emergency plan to respond to security incidents internally and with assistance of local law enforcement and first responders;
  • Monitoring. Maintain effective monitoring, communications and warning systems, including,
  • Training. Ensure proper security training, exercises, and drills of facility personnel;
  • Personnel Surety. Perform appropriate background checks on and ensure appropriate credentials for facility personnel, and as appropriate, for unescorted visitors with access to restricted areas or critical assets, including,
  • Specific Threats, Vulnerabilities, or Risks. Address specific threats, vulnerabilities or risks identified by the Assistant Secretary for the particular facility at issue;
  • Reporting of Significant Security Incidents. Report significant security incidents to the Department and to local law enforcement officials;
  • Significant Security Incidents and Suspicious Activities. Identify, investigate, report, and maintain records of significant security incidents and suspicious activities in or near the site;
  • Officials and Organization. Establish official(s) and an organization responsible for security and for compliance with these standards;
  • Records. Maintain appropriate records; and
  • Address any additional performance standards the Assistant Secretary may specify.

5. Site Security Plan (SSP)

Once facilities submitted their Security Vulnerability Assessment (SVA) and received a tiering letter from DHS they must complete and submit a Site Security Plan (SSP) with help from the RBPS guidance document described above. Covered facilities will have 120 days from the time of the written notification to complete and submit an SSP.

The Site Security Plan must: (1) address each vulnerability identified in the facility's SVA, (2) describe how they intend to address the applicable RBPS standards and potential modes of terrorist attack.  (3) identify and describe how they will meet or exceed each applicable RBPS standard and (4) specify all other necessary information.

6. Background Checks/ Personnel Surety

One of the most important Risk based performance standard a covered facility would have to perform is personal surety or background checks. A background check is the process of acquiring information on an individual regarding the legal authority to work for a high-risk chemical facility including access to restricted areas and critical assets. Background checks can range from employment screening to comprehensive investigations that consider prior criminal activity, immigration status, credit checks, potential terrorist ties, and other criteria. 

Covered facilities are required to perform four types of background checks on both facility personnel who have access to restricted areas or critical assets:

  1. Measures designed to verify and validate identity.
  2. Measures designed to check criminal history.
  3. Measures designed to verify and validate legal authorization to work.
  4. Measures designed to identify people with terrorist ties.

7. Inspections and Audits

After the facility completes the Site Security Plan, DHS may enter, inspect, and audit the facility’s property, equipment and records to verify their SSP.  With respect to timing, DHS will provide the facility a 24-hour advanced notice before inspections, unless a special exception applies under 6 CFR 27.250 (c) ).

If after the inspection, DHS determines that the requirements of 6 CFR 27.225 have been met, DHS will issue a Letter of Approval to the covered facility. If the above requirements have not been met then the facility will be issued a “Review and Approval of Site Security Plans.” under 6 CFR 27.245(b).

 8. Record Keeping

The covered facility must keep records of the activities for at least three years and make them available to the DHS upon request. Specifically records pertaining to:

  • Training.
  • Drills and exercises.
  • Incidents and breaches of security.
  • Maintenance, calibration, and testing of security equipment.
  • Security threats.
  • Audits  and
  • Letters of Authorization and Approval.

9. Chemical-terrorism Vulnerability Information (CVI)

Chemical-terrorism Vulnerability Information (CVI) is protected information under 6 CFR 27.400. CVI users must designate CVI materials properly and protect this sensitive information from public disclosure.  The protections include: the storage of CVI, marking CVI, transmitting CVI and the destruction CVI.

The following information is CVI protected:(1) SVAs (2) SSPs (3) Documents relating to the DHSs’ review and approval of SVAs and SSPs (4) Alternate Security Programs (5) Documents relating to inspection or audits (6) Any records required to be created or retained under recordkeeping requirements (7) Sensitive portions of orders, notices or letters 8) Information developed about regarding security risk for a chemical facility(9) Other information developed for chemical facility security purposes .

10. Helpful Resources:


DHS has set up a user friendly webpage for questions and answers on their website covering all the steps in the CFATS process.  (Link: to

b. The Chemical Sector Security Summit

The Chemical Security Summit is held annually during the months of June and July. Last year the location was Baltimore, Md. The event was co-sponsored by the Chemical Sector-Specific Agency within the Department of Homeland Security Office of Infrastructure Protection (IP) and the Chemical Sector Coordinating Council (CSCC) with SOCMA as the lead.

(For podcasts:


Upcoming Events