CFATS — The Process
For the past four years, the Department of Homeland Security (DHS) and the chemical industry have been working to secure facilities that use, produce or store certain chemicals. The Chemical Anti-Terrorism Standards (CFATS) mandate was developed to set a high security standard without rigid inflexible requirements. There are three main steps to meeting CFATS — a top screen, a security vulnerability assessment (SVA) and finally, a site security plan (SSP).
About 34,000 facilities have submitted top screens to the DHS to determine if their facility is considered at risk and subject to CFATS. Many chemical plants received notification that they needed to conduct a top screen, but the lack of a notification does not necessarily mean that an organization is off the hook — the CFATS mandate may still apply. If a facility uses, makes or stores any of the chemicals of interest (COIs) in quantities above the screening threshold quantity, a top screen needs to be conducted. COIs and thresholds are listed in Appendix A of the CFATS legislation and are posted online.
DHS developed an online tool called the Chemical Security Assessment Tool (CSAT) to help facilities and businesses maneuver through the CFATS process — from company registration to a template for the final SSP. Company registration is the first step, followed by the top screen questionnaire.
The person filling out the top screen questionnaire must be chemical terrorism vulnerability information-authorized, meaning someone who has had training by the DHS on the handling of sensitive material and information. Once completed, the top screen is submitted online to the DHS. The top screen data is part of what is used to determine if the facility needs to comply with the CFATS mandates.
Top screens were supposed to be completed and submitted to the DHS by January 22, 2008, but industry experts believe there are many companies out there that may not realize they are subject to the mandates. The DHS has estimated that as many as 45,000 top screens should be submitted by the time the process is complete.
The Security Vulnerability Assessment
After completing a top screen, the next step is to wait for a letter from the DHS, which lets the facility know that it has tiered out, meaning the mandates do not apply, or it is given a preliminary tier assignment between one and four, with one having the most risk. So far, the DHS has given a preliminary tier assignment to about 7,000 facilities and approximately 27,000 facilities have tiered out.
Those with a preliminary tier assignment must move on to the next step, which is to submit a SVA using the online CSAT. The purpose of the SVA is to determine the likelihood of an attack on a facility being successful and the amount of anticipated damage that would result. In the SVA, facilities may be asked to identify critical assets associated with each COI listed in the tier letter, as well as inventory and describe facility security equipment, including access control procedures and systems, and shipping and receiving procedures.
Facilities are also asked to look at a series of DHS-defined attack scenarios and evaluate the response and consequence of each critical asset/COI combination. These scenarios are based on the characteristics of the COI and the security issues listed in the facility’s preliminary tier letter. The facility is then required to provide an informed judgment on how successful the attack could be and how effective the emergency response would be.
The SVA is a complex process — usually requiring a team of professionals — and can take several hundred hours to complete. From the date of receiving the preliminary tier letter, facilities have the following amount of time to file an SVA: Tier 1 is 90 days, Tier 2 is 120 days, Tier 3 is 150 days and Tier 4 is 180 days.
The DHS then evaluates the SVA and can do one of three things:
- Let the facility know that, based on the SVA, it is not considered at risk and not subject to CFATS at this time. If the facility’s COI inventory changes, then it may need to submit another top screen.
- Confirm the facility’s original ranking.
- Change the tier ranking based on the SVA.
In the last two cases, the facility receives a letter from the DHS confirming the original or altered ranking. The letter also includes a list of the COIs at the facility that concerns that DHS and the security issues associated with those COIs. It also notifies the facility management of the date the SSP is due to the DHS.
The Site Security Plan: The First Step
The SSP is based on 18 risked-based performance standards (RBPS). These RBPSs are meant to provide facilities with guidance on the type and level of security required by the DHS, but they are not strict guidelines and they do not prescribe any specific solutions. Before filling out the SSP questionnaire, each facility should lay out a plan. Take all of the information gathered, and using the 18 RBPSs, develop a plan and procedure to cover each standard.
For example, look at the first RBPS. RBPS1 requires facilities to restrict the area perimeter. The higher the tier ranking, the higher the performance expectation for nearly all of the RBPSs. So, a Tier 1 facility would be required to have a higher level of perimeter security than a Tier 3 or 4 facility. While fencing and landscaping may be enough for one facility, another may need fiberoptic fencing and in-ground radar.
The risk-based nature of the SSP makes planning ahead even more important. It gives the entire CFATS team the time and perspective to look at the facility and its security as a whole. For many facilities, that means a much smoother SSP submittal and approval process. Once the SSP is complete and submitted, it must be approved and implemented. At that point, the DHS performs an inspection and facilities can expect ongoing DHS periodic inspections and visits.
For more information, please visit www.adtbusiness.com/petrochem.