Transcript Slide 1

Securing the Chemical Sector:
An Overview of the Chemical Facility Anti-Terrorism Standards
August 29, 2007
Ronald E. Miller
Inspector
CFATS – Regulation Overview
 DHS’s chemical facility security regulatory regime—the Chemical Facility AntiTerrorism Standards (CFATS)—was published on April 9, 2007
 In developing the final regulations, DHS reviewed over 1300 pages of comments on the
ANRM submitted from over 110 commenters
 The CFATS, which will go into effect after a 60-day Congressional review period, also
includes a list of Chemicals of Interest open for public comment and review
 DHS has created the Office of Infrastructure Protection’s Chemical Security
Compliance Division (CSCD) to oversee the regulatory program
 Depending on degree of risk posed, covered chemical facilities will be placed in one
of four tiers
 Regulation will use risk-based performance standards, allowing facilities to select the most
cost-effective combination of measures to achieve an appropriate level of security
 CSCD will roll out regulatory oversight in a phased approach
 During 2007, DHS will focus its resources on approximately 50 of the highest risk facilities
 However, during 2007, all chemical facilities will be required to complete an initial
consequence screen to identify which facilities are high risk
 Security measures at chemical facilities will never compromise safety measures
 Chemical facility security risks will not be transferred to surrounding communities
2
CFATS – Regulation Overview (cont.)
The CFATS uses a multi-step process
to:
 Identify high-risk chemical facilities
 Assign high-risk chemical facilities to risk
tiers
 Identify vulnerabilities at high-risk
chemical facilities
 Develop and implement Site Security
Plans
 Inspect and audit facilities to ensure
vulnerabilities are adequately addressed
and risk-based performance standards
are met
Step 1:
Trigger Top Screen (STQ)
Step 2:
Perform Top Screen
Step 3:
Receive Preliminary Tiering
Step 4:
Perform SVA
Step 5:
Develop Site Security Plan
Step 6:
DHS Review of Site Security Plan
Other important CFATS components
include:
 Alternate Security Programs
 Adjudications Process
 CVI
Step 7:
Inspections/Audits
Step 8:
Implement Site Security Plan
3
Approximate Phase-In of Regulation
4
CSAT – Top Screen
 Top Screen
 To identify which chemical facilities are high risk, and to gather information for DHS to make
initial risk-based tiering decisions, facilities must complete a “Top Screen”
 Top Screen information will be submitted to DHS via the secure DHS CSAT website
 A facility must complete and submit a Top Screen if it possesses any of the chemicals listed
in Appendix A at the corresponding Screening Threshold Quantity (STQ)
 Designated Submitter
 Each facility must designate a submitter who is responsible for submitting the Top Screen
information to DHS
 The submitter must be designated by an officer of the corporation and domiciled in the U.S.
 Preliminary Determination
 Based on the information provided through the Top Screen process, DHS will determine
whether or not a facility “presents a high level of security risk” and thus is a covered facility
under the regulations
•
A facility’s risk primarily depends on whether or not a terrorist attack could result in significant adverse
consequences for human life or health, national security or critical economic assets
 Facilities will be notified in writing by DHS upon such a determination
 Submission Schedule
 The Top Screen must be completed and submitted within 60 days of the effective date of
Appendix A or within 60 calendar days for facilities that subsequently come into possession
of any of the chemicals listed in Appendix A at the corresponding STQs
 If a covered facility makes material modifications to its operation or site, the covered facility
must submit a revised Top Screen within 60 days of material modification
5
CSAT – Security Vulnerability Assessment
 What is the SVA?
 To better define their security posture and identify their vulnerabilities, all covered facilities
must complete a Security Vulnerability Assessment (SVA)
 Facilities in Tiers 1-3 must use the CSAT SVA tool developed by DHS
•
Tier 4 facilities may use the CSAT SVA tool or submit an approved alternate SVA under the Alternate
Security Program portion of the regulations
 SVA Makeup
 An SVA will include an asset characterization, threat assessment, security vulnerability
analysis, risk assessment, and countermeasure analysis
 Submission Schedule
 Covered facilities must complete and submit SVAs within 90 calendar days of written
notification from the Department or within the time frame specified in any subsequent
Federal Register notice
 Review and Approval
 DHS will review and approve in writing all SVAs that satisfy the requirements of § 27.215,
including Alternative Security programs submitted pursuant to § 27.235
 If an SVA does not satisfy the requirements of § 27.215, DHS will provide the facility with a
written notification that includes a clear explanation of deficiencies in the SVA
•
DHS will offer assistance to facilities that submit deficient SVAs
6
Registration for CSAT
 Registration
 In order to access the CSAT secure on-line tool, users must register with DHS
by submitting a user access form
 Process
 After completion and submittal of the user access request form, DHS will issue
unique usernames and passwords for access to the CSAT data collection tool to
protect your company’s sensitive data
 Facilities must designate:
• A Preparer – authorized to enter the required data into CSAT,
• A Submitter – certified by the company or corporation to formally submit the regulatory
required data to the Department. The Submitter must be authorized and domiciled in the
U.S, and
• An Authorizer – empowered by the facility parent company to provide assurance that
the user account request for the Preparer and Submitter is valid
 After Registration
 Upon receipt of username and password via email, and following the June 8,
2007 activation date, users may access the Top Screen CSAT collection tool
(found on-line at www.dhs.gov/chemicalsecurity)
7
Tiering of Covered Facilities
 Preliminary Tiering
 All covered facilities shall be placed within one of four risk-based tiers, ranging from the
highest risk facilities in Tier 1 to lowest risk facilities in Tier 4
•
Facilities not covered by the regulation will not be tiered
 Initial tiering decisions will be based on information about the facility received from the Top
Screen or other means
 The Department will notify a a facility of its initial risk based tier in writing
 Final Tiering
 After receiving the SVA, DHS will review the SVA and either confirm or adjust the risk-based
tier assigned to the facility
 If, after receiving its final tiering, a facility makes material modifications to their operations,
materials on site, etc., they must submit a revised Top Screen (and possibly SVA & SSP),
and their tiering may be adjusted accordingly
8
Site Security Plans
 SSP: Each covered facility must prepare and implement a Site Security Plan that:
 Addresses each vulnerability identified in the SVA and describes the security measures to
address each such vulnerability
 Identifies and describes how security measures selected by the facility meet or exceed each
applicable performance standard for the facility’s risk-based tier
 CSAT SSP
 DHS has prepared a template for a model SSP, which is available through the CSAT tool
 Facilities must use either the CSAT model SSP or an alternate SSP format approved by
DHS under the Alternate Security Program
 Submission of SSP
 SSPs must be submitted within 120 calendar days of written notification from DHS or within
the time frame specified in any subsequent Federal Register notice
 When a covered facility updates, revises or otherwise alters its SVA, the covered facility
must make corresponding changes to its SSP
 Review and Approval
 DHS will review and approve or disapprove all SSPs using a two-step process:
•
•
First, DHS will make an initial determination based solely on the SSP and, if it is acceptable, issue a
Letter of Authorization
Once SSP is authorized, DHS will inspect a facility for determination of compliance with the rule; if in
compliance, facility will receive a Letter of Approval
 If DHS disapproves a SSP, the facility will be notified in writing.
•
Note that DHS will not disapprove a SSP based on the presence or absence of a particular security
measure
9
Risk-Based Performance Standards
 Performance Standards
 Covered facilities must satisfy the Risk-Based Performance Standards (RBPSs) identified in
Section 27.230 of the regulations
 There are 19 RBPSs in the rule, addressing the following areas:
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
Restricted Area Perimeter
Securing Site Assets
Screening and Access Controls
Deter, Detect, and Delay
Shipping, Receipt, and Storage
Theft and Diversion
Sabotage
Cyber
Response
Monitoring
Training
12. Personnel Surety
13. Elevated Threats
14. Specific Threats, Vulnerabilities,
or Risks
15. Reporting of Significant Security
Incidents
16. Significant Security Incidents and
Suspicious Activities
17. Officials and Organizations
18. Records
19. Others as determined by DHS
 Guidance for Covered Facilities
 DHS will issue guidance on the application of these standards to risk-based tiers of covered
facilities, and the acceptable layering of measures used to meet these standards will vary by
risk based tier. 6 CFR 27.230(a)
10
Inspections and Audits
 Inspections Generally
 In order to asses compliance with the requirements of the regulations, DHS may enter,
inspect, and audit covered facilities
 Inspections will follow preliminary approval of SSPs
 Timing of Inspections
 DHS will provide 24-hour advance notice of inspections, except:
•
•
If DHS determines that an inspection without such notice is warranted by exigent circumstances
If any delay in conducting an inspection might be seriously detrimental to security, and the director of
CSCD determines that an inspection without notice is warranted
 DHS may conduct spot inspections, if deemed necessary
 Inspectors
 Inspections and audits initially will be conducted by a team of specially trained Federal
Protective Service inspectors detailed to CSCD
 Confidentiality of Information
 In addition to the protections afforded by CVI, information received in an audit or inspection
shall remain confidential under the investigatory file exception, or other appropriate
exception to the public disclosure requirements of 5 U.S.C. 552.
11
Alternative Security Plans
Definition
 A third-party or industry organization program that DHS has determined
meets the requirements of 6 CFR 27 and provides for an equivalent
level of security to that established by the regulation
Applicability
 Tier 4 facilities may submit an ASP in lieu of an SVA or SSP
 Tier 1, 2, & 3 facilities may submit an ASP in lieu of a SSP, though they
may not submit an ASP in lieu of an SVA, i.e., Tier 1, 2, & 3 facilities
must submit a CSAT SVA
Notification
 DHS will inform a covered facility of the approval or disapproval of an
ASP in a fashion similar to notifications provided for following approval
or disapproval of an SVA or SSP
12
Orders & Adjudications
 Orders
 When DHS determines that a facility is in violation of any of the regulatory requirements,
DHS may take appropriate action including the issuance of an appropriate Order
 Types of orders include Orders Assessing Civil Penalty and Orders to Cease Operations
•
Civil penalties not to exceed $25,000 per day per violation
 Orders will include a description of the noncompliance, how to address the noncompliance,
and the date by which the facility must comply with terms of the order
 Adjudication
 Any facility who has received a finding is entitled to an adjudication of any issue of material




fact relevant to any administrative action which deprives that person of a cognizable interest
in liberty or property
Adjudications will be heard by a neutral adjudications officer
Findings eligible for adjudication include potential security threat designations, SSP
disapproval, and issuance of Orders
To challenge a DHS determination, applicants must file Notice of Application for Review
within seven calendar days of receipt of notification to the affected party of DHS’ Finding,
Determination, or Order
“Orders typically are stayed from the time of the filing of a Notice of Application for Review
until the Presiding Office issues an Initial Decision”
 Appeals
 If an affected party disagrees with the Initial Decision received in the adjudication process, it
has the right to appeal that decision to the Under Secretary
13
Chemical-terrorism Vulnerability Information
 Chemical-terrorism Vulnerability Information (CVI)
 CVI is an information handling regime established for the maintenance, safeguarding, and
disclosure of the certain information and records related to the CFATS regulatory regime,
including:
•
•
•
•
•
•
Security Vulnerability Assessments
Site Security Plans
Documents related to the review and approval of SVAs and SSPs
Alternate Security Plans
Documents related to inspections or audits, etc.
Other similar documents
 All CVI materials must be appropriately marked, handled, and stored
 Eligible Persons to use CVI
 The following classes of people may use CVI if they have a need to know:
•
•
•
Facility employees
Federal employees, contractors, and grantees
State/local government employees
 CVI access will include training and certification
 Violation of CVI
 Violation of CVI is grounds for a civil penalty and other enforcement or corrective action by
DHS and appropriate personnel actions for Federal employees
14
Review and Preemption of State Laws and Regulations
 Preemption
 No law, regulation, or administrative action of a State or political subdivision thereof shall
have any effect if such conflicts with, hinders, poses an obstacle to, or frustrates the
purposes of this regulation or of any approval, disapproval, or order issued thereunder
 Review of State Laws
 DHS may review State laws, administrative actions, or opinions or orders of a court under
State law and regulations submitted under this section, and may offer an opinion whether
the application or enforcement of the State law or regulation would conflict with, hinder, pose
and obstacle to or frustrate the purposes of this Part
 DHS may issue an opinion on any question regarding preemptions
 DHS will always seek the views of the State or local jurisdiction whose laws may be affected
by the review
15