Many entities are unaware of their need to comply with the Department of Homeland Security's new inspections for and enforcement of Chemical Facility Anti-Terrorism Standards.
As of January 2010, the Department of Homeland Security (DHS) began inspections for and enforcement of Chemical Facility Anti-Terrorism Standards, also known as CFATS.
The name of the regulation is somewhat misleading in that it may lead you to believe it only applies to chemical facilities. Many companies are unaware of their compliance requirements. But, as stipulated in Section 27.300 of the DHS final rule (Code of Federal Register [CFR], section 6, part 27), noncompliance can lead to fines up to $25,000 per day, a shutdown of your operation, or both.
Not Just Chemical Facilities
The trigger for compliance under CFATS is not the nature of business conducted at the facility. It is possession of one or more of the 322 Chemicals of Interest (COI) listed in 6 CFR Part 27. The CFATS regulation was brought into law by a congressional mandate in April 2007. It defined a covered facility as “any establishment that possesses or plans to possess, at any relevant point in time, a quantity of a chemical substance determined by the Secretary to be potentially dangerous or that meets other risk-related criteria identified by the Department.”
Few Facilities Are Exempt
Under section 550, the law makes only five exemptions:
- Facilities regulated under the Maritime Transportation Security Act
- Facilities regulated by the Nuclear Regulatory Commission
- Facilities owned or operated by the Department of Defense or the Department of Energy
- Facilities defined as public water systems by section 1401 of the Safe Water Drinking Act
- Facilities defined as water-treatment works by section 212 of the Federal Water Pollution Control Act
This means that a broad array of industries and facilities may be subject to CFATS regulation depending on their circumstances and the amount of listed chemicals they possess. Industries such as universities and colleges, hospitals, warehouses, paint manufacturers, oil and gas operations, mining industries and powder coaters are all operations that may fall under this regulation.
Tiered System of Requirements
The security expectations of a facility are based on the tier rating assigned by DHS. These tier ratings range from 1 to 4, with 1 being the highest risk and subjected to the most stringent security requirements. The DHS rating is based on the COI present, the amount of that COI, the location of the facility in relation to densely populated areas, and other criteria that are not publically disclosed.
To find out where your facility falls, the first step is to understand what COI are present at your facility that may be regulated by DHS under CFATS. Conducting an in-depth audit of all chemicals that have been, and continue to be, in your facility and benchmarking those chemicals against the DHS list will confirm whether the COI on site exceed the Screening Threshold Quantity (STQ), a measure of concentration and volume. If COI are determined to exist in excess of the DHS STQ, the process of notifying DHS and working
to either become compliant or to remove the COIs begins.
Efficient Compliance Process Yields Long-Term Benefits
DHS estimates the entire process to take up to 600 man-hours, for initial submittal via the DHS web-based interface tool, Top Screen, to Site Security Plan submittal. The actual time required mainly hinges on the security experience of the individual tasked with CFATS compliance. Most users find the Top Screen portion easier as the user is simply inputting the COI identified on site into the DHS web-based interface. However, the difficulty and
time required ramp up significantly if the facility becomes formally tiered by DHS and a request for a Security Vulnerability Assessment is received. Preparing a Site Security Plan requires addressing 1,500 questions — which must be answered anew each time an additional chemical storage area is identified.
A significant amount of time can be wasted if an organized and disciplined approach is not undertaken from the very beginning. The Site Security Plan is based on 18 risk-based performance standards (RBPS). These performance standards range from perimeter security and personnel surety to shipping and receiving policies and COI monitoring and response.
An organized and disciplined approach to compliance can make the difference between many wasted hours going back and forth between operational stakeholders and an experience that makes compliance tolerable and a learning experience for the organization.
About the Author
R.J. Hope is a senior physical security analyst and project manager in the Burns & McDonnell Global Security Services Group. He is ASIS board-certified as a Certified Protection Professional (CPP), recognized as the highest certification in the security industry worldwide, and is certified as an Associate Business Continuity Planner (ABCP).