Chemical Facilities Anti-Terrorism Standards (CFATS) is a regulatory program established by the US Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA). The enforcement of this program aims to enhance the security of chemicals across the United States.
The chemical sector is part of the national critical infrastructure industry producing a broad spectrum of essential benefits to businesses and the public. The benefits include pharmaceuticals, paints and adhesives, soaps and cleaning compounds, pesticides and fertilizers, synthetic resins and rubbers, and basic chemicals. Despite these benefits, chemicals also pose severe security risks, especially if they are stolen, diverted, sabotaged, or released in a terrorist attack.
According to CISA, the CFATS “identifies and regulates high-risk facilities to ensure they have security measures in place to reduce the risk that certain hazardous chemicals are weaponized by terrorists.” All US industrial facilities processing or storing certain chemicals in particular concentrations in the US must adhere to these regulations.
CFATS defines a chemical facility as “any establishment or individual that possesses or plans to possess any of the more than 300 chemicals of interest (COI) described in Appendix A of the Standard, at or above the listed screening threshold quantity (STQ).” These facilities must report the chemicals they possess to CISA using an online survey, known as Top-Screen. CISA uses the survey information to determine whether a facility is high-risk and must develop a security plan.
The CFATS regulation applies to facilities across several industries, including:
- Agriculture and food
- Chemical manufacturing
- Energy and utilities
- Healthcare and pharmaceuticals
- Paint and coatings
- Storage and distribution
- Universities and laboratories
The CFATS program was developed following President Obama’s Executive Order EO 13650 on “Improving Chemical Facility Safety and Security.” The President mandated the government to improve the security of chemical facilities security and reduce the potential risks posed by hazardous chemicals to local communities and the surrounding environment.
In December 2014, the “Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014” (CFATS Act of 2014) was signed into law and initially authorized for four years. In January 2019, President Trump signed into law the Chemical Facility Anti-Terrorism Standards Program Extension Act, which extended the CFATS program for another 15 months. Finally, on 22 July 2020, the President extended the expiration date to 27 July 2023.
The importance of CFATS
Terrorists can use COIs to cause injuries or deaths of large portions of the population. CFATS states three serious security issues related to COI:
- Release: A successful release attack is when released chemicals affect a target community. There are three categories of released COI: toxic, flammable, or explosive. A toxic release occurs slowly and can be mitigated by containments or other measures. In contrast, an explosive release happens instantly with little mitigation to slow or stop the effects.
- Theft or Diversion: A successful theft or diversion attack is when COI is stolen and converted into weapons.
- Sabotage: A sabotage attack usually occurs offsite because of on-site tampering. The detection of tampering at the point of shipment is the most appropriate mitigation for these facilities.
The purpose of CFATS is to help chemical facilities address these security issues by implementing appropriate measures.
Applicability of CFATS
The CFATS program applies to many facilities across all industries. However, certain facilities are excluded from the CFATS regulations by statute. These are facilities:
- Regulated by the Maritime Transportation Security Act (MTSA)
- Operated or owned by the Department of Defense (DoD) or Department of Energy (DoE)
- Regulated by the Nuclear Regulatory Commission (NRC)
- A public water system, as defined in 42 US Code § 300
- A treatment works, as described in 33 US Code § 1292
The CFATS process
To meet the CFATS requirements, facilities should follow the steps below described in detail in the CISA CFATS Process overview.
- Determine whether the facility is subject to CFATS by reviewing the COI List in Appendix A: cisa.gov/publication/cfats-coi-list.
- If the facility is subject to CFATS, they must complete the Top-Screen online survey about the chemicals they possess. The survey is available in the Chemical Security Assessment Tool (CSAT), a secure web portal that DHS administers.
- CISA reviews information provided by the facility through the Top-Screen survey using a risk-based methodology. Facilities are notified if they are either a high-risk facility or not. High-risk facilities are ranked into Tiers 1, 2, 3, and 4, with Tier 1 being the highest risk.
- High-risk facilities must submit a Security Vulnerability Assessment (SVA) and a Site Security Plan (SSP)—or an Alternative Security Program (ASP)—under the Risk-Based Performance Standards (RBPS). The facility’s security plan must be tailored to its tier level, risk, and unique circumstances.
- CISA Chemical Security Inspectors perform an on-site authorization inspection of the facility before approving the SSP or ASP. Once the plan is approved, the inspectors conduct regular compliance inspections to verify that the facility implements and sustains the required security measures.
The CFATS Risk Based Performance Standards (RBPS)
As each chemical facility faces different security challenges, the Department of Homeland Security issued regulations “establishing risk-based performance standards for security at chemical facilities.” The high-risk chemical facilities’ security plan must satisfy the 18 Risk-Based Performance Standards (RBPS) to comply with CFATS.
The RBPS assists high-risk chemical facilities in selecting security measures tailored to each facility’s unique situation and risk level.
The RBPS are as follows:
- RBPS 1 – Restrict Area Perimeter: Secure and monitor the facility perimeter.
- RBPS 2 – Secure Site Assets: Secure and monitor restricted areas and potential critical targets in the facility.
- RBPS 3 – Screen and Control Access: Implement strict access control of individuals and vehicles upon entry.
- RBPS 4 – Deter, Detect, and Delay: Prevent, discover and delay potential attacks.
- RBPS 5 – Shipping, Receipt, and Storage: Secure and monitor the shipping, receipt, and storage of hazardous chemicals.
- RBPS 6 – Theft and Diversion: Deter the theft and diversion of hazardous chemicals.
- RBPS 7 – Sabotage: Deter insider sabotage.
- RBPS 8 – Cyber: Deter cyber sabotage through preventing unauthorized access to cyber systems and critical process controls.
- RBPS 9 – Response: Create an incident response plan for handling security incidents.
- RBPS 10 – Monitoring: Maintain continuous monitoring, early warning, and alert systems.
- RBPS 11 – Training: Carry out appropriate security training programs, drills, and exercises.
- RBPS 12 – Personnel Surety: Perform adequate background checks and ensure proper credentials for personnel, and, as needed, unescorted visitors.
- RBPS 13 – Elevated Threats: Escalate protective measures in response to elevated threat levels
- RBPS 14 – Specific Threats, Vulnerabilities, or Risks: Mitigate evolving threats, vulnerabilities, or risks for the facility identified on threat intelligence reports.
- RBPS 15 – Reporting of Significant Security Incidents: Report security incidents to CISA and local law enforcement as required.
- RBPS 16 – Significant Security Incidents and Suspicious Activities: Effectively manage significant security incidents and suspicious activities in or around the facility by detecting, investigating, reporting, and documenting it.
- RBPS 17 – Officials and Organization: Define roles and responsibilities for ensuring compliance with CFATS.
- RBPS 18 – Records: Maintain appropriate records for audit and inspection.
RBPS overarching security guidelines
CISA provides five security guidelines that facilities should consider when determining the appropriate security measures:
- Detection: The capability to identify potential attacks or indications of attacks and to communicate that information.
- Delay: The capability to slow down an adversary’s progress to allow for an adequate response using physical security measures, administrative/procedural measures, and other security management processes.
- Response: The capability to communicate, report, and manage the appropriate reaction to potential attacks to reduce their impact.
- Cyber: The capability to secure critical cyber systems from unauthorized access (on-premise or remote) to essential process controls.
- Security Management: The capability to develop and enforce policies, procedures, and other processes that support the implementation and oversight of the security plan.
Each objective bridge multiple RBPS and can be satisfied through one or more of these RBPS.
- CFATS Resources: cisa.gov/cfats-resources
- CFATS Process: cisa.gov/cfats-process
- CFATS Knowledge Center: csat-help.dhs.gov
How ORIGNIX helps
ORIGNIX has led cyberHAZOP studies at various chemical facilities to ensure all cyber risks have been identified, and proper mitigation actions have been taken to secure cyber systems from unauthorized access to critical process control and safety systems. These studies have greatly assisted the facilities in meeting the CFATS RBPS.
To learn how our customers benefit, visit our website.
Authors note: This blog was co-authored between Saif Shariff and Anastasios Arampatzis