Transcript Slide 1
Securing the Chemical Sector:
An Overview of the Chemical Facility Anti-Terrorism Standards
August 29, 2007
Ronald E. Miller
Inspector
CFATS – Regulation Overview
DHS’s chemical facility security regulatory regime—the Chemical Facility AntiTerrorism Standards (CFATS)—was published on April 9, 2007
In developing the final regulations, DHS reviewed over 1300 pages of comments on the
ANRM submitted from over 110 commenters
The CFATS, which will go into effect after a 60-day Congressional review period, also
includes a list of Chemicals of Interest open for public comment and review
DHS has created the Office of Infrastructure Protection’s Chemical Security
Compliance Division (CSCD) to oversee the regulatory program
Depending on degree of risk posed, covered chemical facilities will be placed in one
of four tiers
Regulation will use risk-based performance standards, allowing facilities to select the most
cost-effective combination of measures to achieve an appropriate level of security
CSCD will roll out regulatory oversight in a phased approach
During 2007, DHS will focus its resources on approximately 50 of the highest risk facilities
However, during 2007, all chemical facilities will be required to complete an initial
consequence screen to identify which facilities are high risk
Security measures at chemical facilities will never compromise safety measures
Chemical facility security risks will not be transferred to surrounding communities
2
CFATS – Regulation Overview (cont.)
The CFATS uses a multi-step process
to:
Identify high-risk chemical facilities
Assign high-risk chemical facilities to risk
tiers
Identify vulnerabilities at high-risk
chemical facilities
Develop and implement Site Security
Plans
Inspect and audit facilities to ensure
vulnerabilities are adequately addressed
and risk-based performance standards
are met
Step 1:
Trigger Top Screen (STQ)
Step 2:
Perform Top Screen
Step 3:
Receive Preliminary Tiering
Step 4:
Perform SVA
Step 5:
Develop Site Security Plan
Step 6:
DHS Review of Site Security Plan
Other important CFATS components
include:
Alternate Security Programs
Adjudications Process
CVI
Step 7:
Inspections/Audits
Step 8:
Implement Site Security Plan
3
Approximate Phase-In of Regulation
4
CSAT – Top Screen
Top Screen
To identify which chemical facilities are high risk, and to gather information for DHS to make
initial risk-based tiering decisions, facilities must complete a “Top Screen”
Top Screen information will be submitted to DHS via the secure DHS CSAT website
A facility must complete and submit a Top Screen if it possesses any of the chemicals listed
in Appendix A at the corresponding Screening Threshold Quantity (STQ)
Designated Submitter
Each facility must designate a submitter who is responsible for submitting the Top Screen
information to DHS
The submitter must be designated by an officer of the corporation and domiciled in the U.S.
Preliminary Determination
Based on the information provided through the Top Screen process, DHS will determine
whether or not a facility “presents a high level of security risk” and thus is a covered facility
under the regulations
•
A facility’s risk primarily depends on whether or not a terrorist attack could result in significant adverse
consequences for human life or health, national security or critical economic assets
Facilities will be notified in writing by DHS upon such a determination
Submission Schedule
The Top Screen must be completed and submitted within 60 days of the effective date of
Appendix A or within 60 calendar days for facilities that subsequently come into possession
of any of the chemicals listed in Appendix A at the corresponding STQs
If a covered facility makes material modifications to its operation or site, the covered facility
must submit a revised Top Screen within 60 days of material modification
5
CSAT – Security Vulnerability Assessment
What is the SVA?
To better define their security posture and identify their vulnerabilities, all covered facilities
must complete a Security Vulnerability Assessment (SVA)
Facilities in Tiers 1-3 must use the CSAT SVA tool developed by DHS
•
Tier 4 facilities may use the CSAT SVA tool or submit an approved alternate SVA under the Alternate
Security Program portion of the regulations
SVA Makeup
An SVA will include an asset characterization, threat assessment, security vulnerability
analysis, risk assessment, and countermeasure analysis
Submission Schedule
Covered facilities must complete and submit SVAs within 90 calendar days of written
notification from the Department or within the time frame specified in any subsequent
Federal Register notice
Review and Approval
DHS will review and approve in writing all SVAs that satisfy the requirements of § 27.215,
including Alternative Security programs submitted pursuant to § 27.235
If an SVA does not satisfy the requirements of § 27.215, DHS will provide the facility with a
written notification that includes a clear explanation of deficiencies in the SVA
•
DHS will offer assistance to facilities that submit deficient SVAs
6
Registration for CSAT
Registration
In order to access the CSAT secure on-line tool, users must register with DHS
by submitting a user access form
Process
After completion and submittal of the user access request form, DHS will issue
unique usernames and passwords for access to the CSAT data collection tool to
protect your company’s sensitive data
Facilities must designate:
• A Preparer – authorized to enter the required data into CSAT,
• A Submitter – certified by the company or corporation to formally submit the regulatory
required data to the Department. The Submitter must be authorized and domiciled in the
U.S, and
• An Authorizer – empowered by the facility parent company to provide assurance that
the user account request for the Preparer and Submitter is valid
After Registration
Upon receipt of username and password via email, and following the June 8,
2007 activation date, users may access the Top Screen CSAT collection tool
(found on-line at www.dhs.gov/chemicalsecurity)
7
Tiering of Covered Facilities
Preliminary Tiering
All covered facilities shall be placed within one of four risk-based tiers, ranging from the
highest risk facilities in Tier 1 to lowest risk facilities in Tier 4
•
Facilities not covered by the regulation will not be tiered
Initial tiering decisions will be based on information about the facility received from the Top
Screen or other means
The Department will notify a a facility of its initial risk based tier in writing
Final Tiering
After receiving the SVA, DHS will review the SVA and either confirm or adjust the risk-based
tier assigned to the facility
If, after receiving its final tiering, a facility makes material modifications to their operations,
materials on site, etc., they must submit a revised Top Screen (and possibly SVA & SSP),
and their tiering may be adjusted accordingly
8
Site Security Plans
SSP: Each covered facility must prepare and implement a Site Security Plan that:
Addresses each vulnerability identified in the SVA and describes the security measures to
address each such vulnerability
Identifies and describes how security measures selected by the facility meet or exceed each
applicable performance standard for the facility’s risk-based tier
CSAT SSP
DHS has prepared a template for a model SSP, which is available through the CSAT tool
Facilities must use either the CSAT model SSP or an alternate SSP format approved by
DHS under the Alternate Security Program
Submission of SSP
SSPs must be submitted within 120 calendar days of written notification from DHS or within
the time frame specified in any subsequent Federal Register notice
When a covered facility updates, revises or otherwise alters its SVA, the covered facility
must make corresponding changes to its SSP
Review and Approval
DHS will review and approve or disapprove all SSPs using a two-step process:
•
•
First, DHS will make an initial determination based solely on the SSP and, if it is acceptable, issue a
Letter of Authorization
Once SSP is authorized, DHS will inspect a facility for determination of compliance with the rule; if in
compliance, facility will receive a Letter of Approval
If DHS disapproves a SSP, the facility will be notified in writing.
•
Note that DHS will not disapprove a SSP based on the presence or absence of a particular security
measure
9
Risk-Based Performance Standards
Performance Standards
Covered facilities must satisfy the Risk-Based Performance Standards (RBPSs) identified in
Section 27.230 of the regulations
There are 19 RBPSs in the rule, addressing the following areas:
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
Restricted Area Perimeter
Securing Site Assets
Screening and Access Controls
Deter, Detect, and Delay
Shipping, Receipt, and Storage
Theft and Diversion
Sabotage
Cyber
Response
Monitoring
Training
12. Personnel Surety
13. Elevated Threats
14. Specific Threats, Vulnerabilities,
or Risks
15. Reporting of Significant Security
Incidents
16. Significant Security Incidents and
Suspicious Activities
17. Officials and Organizations
18. Records
19. Others as determined by DHS
Guidance for Covered Facilities
DHS will issue guidance on the application of these standards to risk-based tiers of covered
facilities, and the acceptable layering of measures used to meet these standards will vary by
risk based tier. 6 CFR 27.230(a)
10
Inspections and Audits
Inspections Generally
In order to asses compliance with the requirements of the regulations, DHS may enter,
inspect, and audit covered facilities
Inspections will follow preliminary approval of SSPs
Timing of Inspections
DHS will provide 24-hour advance notice of inspections, except:
•
•
If DHS determines that an inspection without such notice is warranted by exigent circumstances
If any delay in conducting an inspection might be seriously detrimental to security, and the director of
CSCD determines that an inspection without notice is warranted
DHS may conduct spot inspections, if deemed necessary
Inspectors
Inspections and audits initially will be conducted by a team of specially trained Federal
Protective Service inspectors detailed to CSCD
Confidentiality of Information
In addition to the protections afforded by CVI, information received in an audit or inspection
shall remain confidential under the investigatory file exception, or other appropriate
exception to the public disclosure requirements of 5 U.S.C. 552.
11
Alternative Security Plans
Definition
A third-party or industry organization program that DHS has determined
meets the requirements of 6 CFR 27 and provides for an equivalent
level of security to that established by the regulation
Applicability
Tier 4 facilities may submit an ASP in lieu of an SVA or SSP
Tier 1, 2, & 3 facilities may submit an ASP in lieu of a SSP, though they
may not submit an ASP in lieu of an SVA, i.e., Tier 1, 2, & 3 facilities
must submit a CSAT SVA
Notification
DHS will inform a covered facility of the approval or disapproval of an
ASP in a fashion similar to notifications provided for following approval
or disapproval of an SVA or SSP
12
Orders & Adjudications
Orders
When DHS determines that a facility is in violation of any of the regulatory requirements,
DHS may take appropriate action including the issuance of an appropriate Order
Types of orders include Orders Assessing Civil Penalty and Orders to Cease Operations
•
Civil penalties not to exceed $25,000 per day per violation
Orders will include a description of the noncompliance, how to address the noncompliance,
and the date by which the facility must comply with terms of the order
Adjudication
Any facility who has received a finding is entitled to an adjudication of any issue of material
fact relevant to any administrative action which deprives that person of a cognizable interest
in liberty or property
Adjudications will be heard by a neutral adjudications officer
Findings eligible for adjudication include potential security threat designations, SSP
disapproval, and issuance of Orders
To challenge a DHS determination, applicants must file Notice of Application for Review
within seven calendar days of receipt of notification to the affected party of DHS’ Finding,
Determination, or Order
“Orders typically are stayed from the time of the filing of a Notice of Application for Review
until the Presiding Office issues an Initial Decision”
Appeals
If an affected party disagrees with the Initial Decision received in the adjudication process, it
has the right to appeal that decision to the Under Secretary
13
Chemical-terrorism Vulnerability Information
Chemical-terrorism Vulnerability Information (CVI)
CVI is an information handling regime established for the maintenance, safeguarding, and
disclosure of the certain information and records related to the CFATS regulatory regime,
including:
•
•
•
•
•
•
Security Vulnerability Assessments
Site Security Plans
Documents related to the review and approval of SVAs and SSPs
Alternate Security Plans
Documents related to inspections or audits, etc.
Other similar documents
All CVI materials must be appropriately marked, handled, and stored
Eligible Persons to use CVI
The following classes of people may use CVI if they have a need to know:
•
•
•
Facility employees
Federal employees, contractors, and grantees
State/local government employees
CVI access will include training and certification
Violation of CVI
Violation of CVI is grounds for a civil penalty and other enforcement or corrective action by
DHS and appropriate personnel actions for Federal employees
14
Review and Preemption of State Laws and Regulations
Preemption
No law, regulation, or administrative action of a State or political subdivision thereof shall
have any effect if such conflicts with, hinders, poses an obstacle to, or frustrates the
purposes of this regulation or of any approval, disapproval, or order issued thereunder
Review of State Laws
DHS may review State laws, administrative actions, or opinions or orders of a court under
State law and regulations submitted under this section, and may offer an opinion whether
the application or enforcement of the State law or regulation would conflict with, hinder, pose
and obstacle to or frustrate the purposes of this Part
DHS may issue an opinion on any question regarding preemptions
DHS will always seek the views of the State or local jurisdiction whose laws may be affected
by the review
15