Chemicals are integral to modern society. They are extensively used in education, medicine, transportation, food production, manufacturing, and the environment. Despite their numerous benefits, however, they also have the potential to be weaponized. In response to this threat, the Cybersecurity & Infrastructure Security Agency (CISA), an attached agency under the US Department of Homeland Security, manages and enforces the Chemical Facility Anti-Terrorism Standards (CFATS) Program. This program aims to identify, regulate, and assist chemical facilities in safeguarding their chemical inventories from exploitation by terrorists. This article will give an overview of the following:
- the basics of CFATS
- which facilities are covered by CFATS, and
- navigating the CFATS process
with an emphasis on how organizations can streamline the reporting of chemicals of interest in the CFATS system.
What is CFATS?
The CFATS program aims to address chemical security risks present in facilities that handle any of the more than 300 chemicals of interest (COI) listed in Appendix A of the regulation, taking into account their quantities and concentrations. The rule covers chemical facilities ranging from large chemical manufacturing plants, refineries, power plants, and universities to small laboratories and independent parties. Public water systems and treatment works, chemical facilities owned or operated by the Department of National Defense or the Department of Energy, and other facilities under the regulation of the Nuclear Regulatory Commission and the Maritime Transportation Security Act are all excluded from CFATS. Facilities that possess or intend to possess COI at or exceeding screening threshold quantities (STQ) and concentrations must go through the CFATS process (beginning by determining whether a facility is considered high-risk). The program then requires high-risk facilities to develop a plan to address security issues associated with their chemical inventories.
Which security issues are addressed by CFATS?
Chemicals of interest are categorized under 3 main security issues: “release,” “theft/diversion,” and “sabotage.” Each of these three issues has corresponding STQ and concentration levels. Chemicals in the list can belong to multiple security categories, provided that the quantities and concentrations exceed the corresponding screening thresholds of each category.
COI in the release category are those toxic, flammable, or explosive chemicals that can be released outside the facility. It includes chemicals such as acetylene (used in the metal welding and cutting industry) and chlorine (used to clean pools and waterparks).
COI belonging to the theft or diversion category are substances that, when stolen, can be converted to chemical weapons or their precursors using chemical processes and methodologies. An example of a chemical in this security category is hydrogen peroxide (commonly used in meat processing facilities for disinfection). If stolen or diverted, terrorists can use this as a precursor to make explosive devices.
COI that can be readily mixed with available materials is categorized as having sabotage or contamination security issues. One example is potassium cyanide (commonly used in university laboratories) which is extremely toxic.
What is the process for complying with CFATS?
The first step in complying with CFATS is to complete the Chemical-Terrorism Vulnerability Information (CVI) training to access any CFATS-related application. A facility can then be registered in the Chemical Security Assessment Tool to access all the CFATS-related resources. Once granted access, the Top-Screen report tool can be used to input any chemicals of interest. The system uses a risk-based methodology to determine whether a facility is high-risk. This determination depends on several factors, including the nature and concentration of the chemicals in question.
If a facility is deemed high risk, a site vulnerability assessment (SVA) and a site security plan (SSP) must be submitted that satisfy the CFATS Risk-Based Performance Standards. The format of the SPP depends on the high-risk tier level, with lower tiers having the option to participate in the expedited approval program. It is important to note that the CFATS process is not only performed on an annual basis. Every time any chemical of interest is acquired by a high-risk facility, a Top-Screen report must be accomplished within 60 days.
What does a CFATS violation entail?
The authority given to CISA is not limited to prescribing a review process for identifying high-risk chemical facilities. They are also given the power to enter, inspect, and audit chemical facilities’ records, equipment, and procedures. Below is a list of possible violations and the corresponding fines:
- Failure to file Top-Screen Report and SVA/SSP on time: fines can range from a one-time fee of $2,000 to $2,000 per day for each day of failing to file.
- Knowing submission of false information: fines are determined on a case-to-case basis.
- Deficient site security plans or improper implementation: fines range from $1,000 to $10,000 per day, depending on the severity, until all deficiencies or infractions are corrected.
- Failure to maintain records and safely handle the CVI: fines are determined on a case-to-case basis.
How can the identification of COI be streamlined?
Accomplishing compliance with CFATS can be difficult, as it entails keeping an accurate record of chemical inventory. Late filing of a CFATS report or inaccuracies in submission can result in hefty fines. Safekeeping sensitive information is also a major concern and reckless execution comes with business risks and civil penalties. A secure, cloud-based environmental health and safety (EHS) software can do most of the heavy lifting when it comes to managing chemical inventory and associated safety data sheets (SDS). This sort of cutting-edge tool can greatly expedite the CFATS (and other regulatory reporting) process. Having a cloud-based system means that data can be added/edited/viewed in real-time.
Having a centralized, digital record of chemical inventory and SDS offers greater organization than manually updated and filed spreadsheets. Choosing a chemical inventory and electronic SDS management solution with a user-friendly interface will enable users to update essential chemical information (location, volume, usage, hazards, etc.) whenever a transaction occurs (new chemicals are added or removed, and existing stocks are expiring, used, ordered, received, transferred, or dispersed). Additionally, some tools for electronic chemical inventory and SDS management will have reporting features with built-in templates that allow safety teams to filter chemicals within their system by regulation-specific hazard criteria and immediately export that data for sharing with the appropriate authorities. Combining the power of a regularly updated inventory (that makes monitoring whether or not a COI has already reached threshold quantities easier) and the ability to automate reporting processes results in the timely submission of Top-Screen Reports.
The CFATS program addresses security risks associated with COI by identifying and regulating high-risk chemical facilities, providing guidelines on safeguarding chemical assets, and imposing fines on erring facilities. By using secure tools (such as chemical inventory and electronic SDS management software) that streamline chemical management, facilities can be diligent in their compliance with government security regulations, not only for their benefit but also for the benefit of society.
Cybersecurity & Infrastructure Security Agency. (n.d.). Appendix A to Part 27. – DHS Chemicals of Interest. CISA. https://www.cisa.gov/sites/default/files/publications/appendix-a-to-part-27-508.pdf
Cybersecurity & Infrastructure Security Agency. (n.d.). Chemical Facility Anti-Terrorism Standards (CFATS). CISA. https://www.cisa.gov/resources-tools/programs/chemical-facility-anti-terrorism-standards-cfats
Cybersecurity & Infrastructure Security Agency. (n.d.). Chemical Facility Anti-Terrorism Standards: Penalty Policy Overview. CISA. https://www.cisa.gov/sites/default/files/2023-02/fs_cfats-penalty-policy-508.pdf
Cybersecurity & Infrastructure Security Agency. (2017). Policy for Assessing a Civil Penalty under the Chemical Facility Anti-Terrorism Standards. CISA. https://www.cisa.gov/sites/default/files/publications/cfats-penalty-policy_508.pdf
KECI Staff. (2018, May 3). UM lab stands by policies after potassium cyanide goes missing. NBC Montana. https://nbcmontana.com/news/local/um-lab-stands-by-policies-after-potassium-cyanide-goes-missing
The Welding Institute. (200, September). Oxyfuel cutting – Process and fuel gases. TWI. https://www.twi-global.com/technical-knowledge/job-knowledge/oxyfuel-cutting-process-and-fuel-gases-049
U.S. Department of Homeland Security. (2018, October). Protect your meat processing chemicals from use in a terrorist attack. DHS. https://www.dhs.gov/sites/default/files/publications/FS%20Meat%20Processing.pdf
The SafetyStratus Research Advisory Group (RAG) brings together thought leaders from the global environmental, health, and safety community to promote best practices and provide key insights in the profession and the industries they serve. The Research Advisory Group also advocates, where practical, the intersection of and advances with the use of technology, such as the SafetyStratus enterprise EHS software platform. Group membership consists of representatives from across varied disciplines and market sectors as well as select members of the SafetyStratus team.
The primary objectives of the SafetyStratus RAG partnership are to:
- Build a strategic partnership between EHS practitioners and the SafetyStratus team.
- Provide engaging and practical content to the global EHS community.
- Provide discipline and market feedback specific to SafetyStratus products and services.
While the objectives of the RAG are varied, the primary public-facing outcome will be available through engaging and practical content found on the SafetyStratus resource pages. Various articles, papers, and other valuable resources will be produced and shared as part of an ongoing effort to cultivate a robust community. Ultimately, the SafetyStratus RAG will expand to have a broader reach and provide opportunities for more inclusion by all interested EHS professionals in a collaborative community environment.