Security at most industrial facilities is essential, but not all facilities have stringent government security standards applied to them.

Many chemical plant facilities do, however.

And this compliance makes the demands of security that much more challenging.

What is CFATS?

Chemical Facility Anti-Terrorism Standards, or CFATS, is the first regulatory program in the United States focused specifically on security at high-risk chemical facilities.

Today, the CFATS program is managed by the Cybersecurity and Infrastructure Security Agency (CISA), a standalone United States federal agency, and an operational component under the Department of Homeland Security oversight.

CISA was established on November 16, 2018, when President Donald Trump signed the Cybersecurity and Infrastructure Security Agency Act of 2018 into law.

The CFATS program identifies and regulates high-risk chemical facilities to ensure they have security measures in place to reduce the risk of certain hazardous chemicals being weaponized by terrorists.

A brief history of CFATS:

  • 2007: Initially authorized by Congress
  • December 18, 2014: The CFATS Act of 2014 was signed into law recodifying and reauthorizing the CFATS program for four years
  • January 18, 2019: President Trump signed the CFATS Program Extension Act to extend the program for 15 months
  • March 27, 2020: President Trump signed the Coronavirus Aid, Relief, and Economic Security Act (CARES Act), which included a provision to extend the CFATS program to July 23, 2020
  • July 22, 2020: President Trump signed Public Law No. 116-150 extending the expiration date of the CFATS Act of 2014, Pub. L. No. 113-254, to July 27, 2023

Chemicals of Interest and High-Risk Tiers

Any facility that possesses, or plans to possess, any chemicals is required to review Appendix A of the Chemical Facility Anti-Terrorism Standards (CFATS) regulation. The Appendix lists more than 300 chemicals of interest, or COI, and their respective screening threshold quantities, or STQ, all of which are then categorized under three main security issues:

  • Release: Toxic, flammable, or explosive chemicals or materials that can be released at a facility
  • Theft or Diversion: Chemicals or materials that, if stolen or diverted, can be converted into weapons using simple chemistry, equipment, or techniques
  • Sabotage: Chemicals or materials that can be mixed with readily available materials

If a facility does possess one of these 300 COI it does not necessarily have to comply with the standards of CFATS. The actual quantity of the chemicals must also meet or exceed the STQ for that chemical.

However, a facility that has chemicals of interest on site that meet or exceed the specified concentrations and quantities is required to first report possession of those chemicals to CISA. This is done by completing their online survey called a Top-Screen using the Chemical Security Assessment Tool.

The CISA then reviews the Top-Screen using a risk-based methodology. The facility is notified if they are determined to be a high-risk facility or not. If not, the facility and its security measures are not regulated under CFATS.

However, if the facility is determined to be a high-risk facility, it is also ranked into one of the high-risk tiers designated as Tiers 1, 2, 3, and 4, with Tier 1 being the highest risk.

A facility that has been determined to be “high-risk” by the CISA is then required to develop a security plan and implement security measures that reduce the risks associated with their COI. In addition, this security plan and subsequent measures must be approved by CISA.

A Look at CFATS Security Vulnerability Assessment and Site Security Plan

The CISA wants to be able to analyze and assess a high-risk facility’s security measures and any vulnerabilities it may have regarding its use of chemicals of interest and any policies, procedures, and resources that support the facility’s security plan.

Some of these potential vulnerabilities may include incomplete documentation, lack of training, or insufficient resources. This assessment is accomplished with the Security Vulnerability Assessment, or SVA, that must be submitted by the facility management.

In addition, there is an assessment of the facility’s critical assets. A critical asset, according to CISA, is,

“An asset whose theft, diversion, loss, damage, disruption, or degradation would result in a significant adverse impact to human life, national security, or a critical economic asset.” 

Along with the SVA, a high-risk chemical facility is required to submit a Site Security Plan, or SSP. Currently, this can be done using a CSAT generated, online questionnaire.

The questionnaire allows the facility to describe existing or planned security measures appropriate for the risk level tier assigned to the facility and for any unique considerations of the facility.

The challenge for many facilities is to develop and implement an SSP that meets the CFATS Risk-Based Performance Standards (RBPS).

To help with this task, the CISA provides a CFATS RBPS Guidance document to help high-risk chemical facilities to select security measures and activities such as perimeter security, access control, personnel security, and cybersecurity.

The Guidance is almost 200 pages long and is based on performance standards established by the Department of Homeland Security (DHS).

This is significant since the DHS and CISA use this definition of a “performance standard,”

 “A performance standard specifies the outcome required but leaves the specific measures to achieve that outcome up to the discretion of the regulated entity. In contrast to a design standard or a technology-based standard that specifies exactly how to achieve compliance, a performance standard sets a goal and lets each regulated entity decide how to meet it.”

What this means for a chemical facility is that the CFATS program allows them the flexibility to choose the most cost-effective method for achieving the required level of security determined by their risk profile.

Meeting the Challenge for Facility Security and Surveillance

However, although the performance standards allow for flexibility, they still mandate thresholds that the facility must reach in order to be approved by the DHS. The table of Risk-Based Performance Standards lists 18 distinct standards items or categories.

 These include:

  • Restrict Area Perimeter: Secure and monitor the perimeter of the facility
  • Secure Site Assets: Secure and monitor restricted areas or potentially critical targets within the facility
  • Deter, Detect, and Delay: Deter, detect, and delay an attack, creating sufficient time between detection of an attack and the point at which the attack becomes successful
  • Monitoring: Maintain effective monitoring, communications, and warning systems 

Along with the 14 other “performance standards” these, in particular, require an extensive and comprehensive security and surveillance system.

For example, a Tier 4 facility, the lowest “high-risk” designation, requires the following to be compliant with the “Restrict Area Perimeter” performance standard:

“The facility has a perimeter security and monitoring system that enables the facility to delay a portion of attempted adversary penetrations and channel personnel and vehicles to access control points; including a system to monitor and report unauthorized penetrations of the facility perimeter.”

In comparison, the same facility, if it was designated as a Tier 1 facility, is described as follows:

“The facility has an extremely vigorous perimeter security and monitoring system that enables the facility to thwart most adversary penetrations and channel personnel and vehicles to access control points; including a perimeter intrusion detection and reporting system with multiple additive detection techniques that can demonstrate an extremely low probability that perimeter penetration would be undetected.”

What is needed to meet these stringent performance standards is a real-time, interactive security system. This means having advanced security and surveillance technology that turns your existing camera network into an active security system.

By incorporating AI software technology, your security cameras also become detection and breach sensors so that allows your system to anticipate threats 24/7.

Using Blue Eye’s advanced, proprietary managed service platform for your CFATS performance standards needs, you have a highly enhanced security network in place. When a threat or breach is detected, an alarm is immediately sent to our command center. Highly trained Video Surveillance Technicians (VSTs) then respond to the threat in real-time, assess the situation, and take appropriate action.

These actions can range from a verbal warning broadcast over a loudspeaker to calling the police or contracted security service. By using both artificial and human intelligence, our approach allows for compliant solutions utilizing the cameras you already have installed.

At Blue Eye, we use our proprietary AI software to detect potential threats in seconds, alerting our highly trained Video Surveillance Technicians who react in real-time to deter potential crimes.

Give us a call at 855.258.3662 or email us at [email protected]. Let us design an effective solution for your business!