Securing the Chemical Sector:

1

• Securing the Chemical Sector
• An Overview of the Chemical Facility
  Anti-Terrorism Standards
• August 29, 2007
• Ronald E. Miller
• Inspector

2
CFATS Regulation Overview

• DHSs chemical facility security regulatory
  regimethe Chemical Facility Anti-Terrorism
  Standards (CFATS)was published on April 9, 2007
• In developing the final regulations, DHS reviewed
  over 1300 pages of comments on the ANRM submitted
  from over 110 commenters
• The CFATS, which will go into effect after a
  60-day Congressional review period, also includes
  a list of Chemicals of Interest open for public
  comment and review
• DHS has created the Office of Infrastructure
  Protections Chemical Security Compliance
  Division (CSCD) to oversee the regulatory program
• Depending on degree of risk posed, covered
  chemical facilities will be placed in one of four
  tiers
• Regulation will use risk-based performance
  standards, allowing facilities to select the most
  cost-effective combination of measures to achieve
  an appropriate level of security
• CSCD will roll out regulatory oversight in a
  phased approach
• During 2007, DHS will focus its resources on
  approximately 50 of the highest risk facilities
• However, during 2007, all chemical facilities
  will be required to complete an initial
  consequence screen to identify which facilities
  are high risk
• Security measures at chemical facilities will
  never compromise safety measures
• Chemical facility security risks will not be
  transferred to surrounding communities

3
CFATS Regulation Overview (cont.)

• The CFATS uses a multi-step process to
• Identify high-risk chemical facilities
• Assign high-risk chemical facilities to risk
  tiers
• Identify vulnerabilities at high-risk chemical
  facilities
• Develop and implement Site Security Plans
• Inspect and audit facilities to ensure
  vulnerabilities are adequately addressed and
  risk-based performance standards are met
• Other important CFATS components include
• Alternate Security Programs
• Adjudications Process
• CVI

Implement Site Security Plan
4
Approximate Phase-In of Regulation
5
CSAT Top Screen

• Top Screen
• To identify which chemical facilities are high
  risk, and to gather information for DHS to make
  initial risk-based tiering decisions, facilities
  must complete a Top Screen
• Top Screen information will be submitted to DHS
  via the secure DHS CSAT website
• A facility must complete and submit a Top Screen
  if it possesses any of the chemicals listed in
  Appendix A at the corresponding Screening
  Threshold Quantity (STQ)
• Designated Submitter
• Each facility must designate a submitter who is
  responsible for submitting the Top Screen
  information to DHS
• The submitter must be designated by an officer of
  the corporation and domiciled in the U.S.
• Preliminary Determination
• Based on the information provided through the Top
  Screen process, DHS will determine whether or not
  a facility presents a high level of security
  risk and thus is a covered facility under the
  regulations
• A facilitys risk primarily depends on whether or
  not a terrorist attack could result in
  significant adverse consequences for human life
  or health, national security or critical economic
  assets
• Facilities will be notified in writing by DHS
  upon such a determination
• Submission Schedule
• The Top Screen must be completed and submitted
  within 60 days of the effective date of Appendix
  A or within 60 calendar days for facilities that
  subsequently come into possession of any of the
  chemicals listed in Appendix A at the
  corresponding STQs
• If a covered facility makes material
  modifications to its operation or site, the
  covered facility must submit a revised Top Screen
  within 60 days of material modification

6
CSAT Security Vulnerability Assessment

• What is the SVA?
• To better define their security posture and
  identify their vulnerabilities, all covered
  facilities must complete a Security Vulnerability
  Assessment (SVA)
• Facilities in Tiers 1-3 must use the CSAT SVA
  tool developed by DHS
• Tier 4 facilities may use the CSAT SVA tool or
  submit an approved alternate SVA under the
  Alternate Security Program portion of the
  regulations
• SVA Makeup
• An SVA will include an asset characterization,
  threat assessment, security vulnerability
  analysis, risk assessment, and countermeasure
  analysis
• Submission Schedule
• Covered facilities must complete and submit SVAs
  within 90 calendar days of written notification
  from the Department or within the time frame
  specified in any subsequent Federal Register
  notice
• Review and Approval
• DHS will review and approve in writing all SVAs
  that satisfy the requirements of 27.215,
  including Alternative Security programs submitted
  pursuant to 27.235
• If an SVA does not satisfy the requirements of
  27.215, DHS will provide the facility with a
  written notification that includes a clear
  explanation of deficiencies in the SVA
• DHS will offer assistance to facilities that
  submit deficient SVAs

7
Registration for CSAT

• Registration
• In order to access the CSAT secure on-line tool,
  users must register with DHS by submitting a user
  access form
• Process
• After completion and submittal of the user access
  request form, DHS will issue unique usernames and
  passwords for access to the CSAT data collection
  tool to protect your companys sensitive data
• Facilities must designate
• A Preparer authorized to enter the required
  data into CSAT,
• A Submitter certified by the company or
  corporation to formally submit the regulatory
  required data to the Department. The Submitter
  must be authorized and domiciled in the U.S, and
• An Authorizer empowered by the facility parent
  company to provide assurance that the user
  account request for the Preparer and Submitter is
  valid
• After Registration
• Upon receipt of username and password via email,
  and following the June 8, 2007 activation date,
  users may access the Top Screen CSAT collection
  tool (found on-line at www.dhs.gov/chemicalsecurit
  y)

8
Tiering of Covered Facilities

• Preliminary Tiering
• All covered facilities shall be placed within one
  of four risk-based tiers, ranging from the
  highest risk facilities in Tier 1 to lowest risk
  facilities in Tier 4
• Facilities not covered by the regulation will not
  be tiered
• Initial tiering decisions will be based on
  information about the facility received from the
  Top Screen or other means
• The Department will notify a a facility of its
  initial risk based tier in writing
• Final Tiering
• After receiving the SVA, DHS will review the SVA
  and either confirm or adjust the risk-based tier
  assigned to the facility
• If, after receiving its final tiering, a facility
  makes material modifications to their operations,
  materials on site, etc., they must submit a
  revised Top Screen (and possibly SVA SSP), and
  their tiering may be adjusted accordingly

9
Site Security Plans

• SSP Each covered facility must prepare and
  implement a Site Security Plan that
• Addresses each vulnerability identified in the
  SVA and describes the security measures to
  address each such vulnerability
• Identifies and describes how security measures
  selected by the facility meet or exceed each
  applicable performance standard for the
  facilitys risk-based tier
• CSAT SSP
• DHS has prepared a template for a model SSP,
  which is available through the CSAT tool
• Facilities must use either the CSAT model SSP or
  an alternate SSP format approved by DHS under the
  Alternate Security Program
• Submission of SSP
• SSPs must be submitted within 120 calendar days
  of written notification from DHS or within the
  time frame specified in any subsequent Federal
  Register notice
• When a covered facility updates, revises or
  otherwise alters its SVA, the covered facility
  must make corresponding changes to its SSP
• Review and Approval
• DHS will review and approve or disapprove all
  SSPs using a two-step process
• First, DHS will make an initial determination
  based solely on the SSP and, if it is acceptable,
  issue a Letter of Authorization
• Once SSP is authorized, DHS will inspect a
  facility for determination of compliance with the
  rule if in compliance, facility will receive a
  Letter of Approval
• If DHS disapproves a SSP, the facility will be
  notified in writing.
• Note that DHS will not disapprove a SSP based on
  the presence or absence of a particular security
  measure

10
Risk-Based Performance Standards

• Performance Standards
• Covered facilities must satisfy the Risk-Based
  Performance Standards (RBPSs) identified in
  Section 27.230 of the regulations
• There are 19 RBPSs in the rule, addressing the
  following areas
• Guidance for Covered Facilities
• DHS will issue guidance on the application of
  these standards to risk-based tiers of covered
  facilities, and the acceptable layering of
  measures used to meet these standards will vary
  by risk based tier. 6 CFR 27.230(a)

1. Restricted Area Perimeter
2. Securing Site Assets
3. Screening and Access Controls
4. Deter, Detect, and Delay
5. Shipping, Receipt, and Storage
6. Theft and Diversion
7. Sabotage
8. Cyber
9. Response
10. Monitoring
11. Training

1. Personnel Surety
2. Elevated Threats
3. Specific Threats, Vulnerabilities, or Risks
4. Reporting of Significant Security Incidents
5. Significant Security Incidents and Suspicious
   Activities
6. Officials and Organizations
7. Records
8. Others as determined by DHS

11
Inspections and Audits

• Inspections Generally
• In order to asses compliance with the
  requirements of the regulations, DHS may enter,
  inspect, and audit covered facilities
• Inspections will follow preliminary approval of
  SSPs
• Timing of Inspections
• DHS will provide 24-hour advance notice of
  inspections, except
• If DHS determines that an inspection without such
  notice is warranted by exigent circumstances
• If any delay in conducting an inspection might be
  seriously detrimental to security, and the
  director of CSCD determines that an inspection
  without notice is warranted
• DHS may conduct spot inspections, if deemed
  necessary
• Inspectors
• Inspections and audits initially will be
  conducted by a team of specially trained Federal
  Protective Service inspectors detailed to CSCD
• Confidentiality of Information
• In addition to the protections afforded by CVI,
  information received in an audit or inspection
  shall remain confidential under the investigatory
  file exception, or other appropriate exception to
  the public disclosure requirements of 5 U.S.C.
  552.

12
Alternative Security Plans

• Definition
• A third-party or industry organization program
  that DHS has determined meets the requirements of
  6 CFR 27 and provides for an equivalent level of
  security to that established by the regulation
• Applicability
• Tier 4 facilities may submit an ASP in lieu of an
  SVA or SSP
• Tier 1, 2, 3 facilities may submit an ASP in
  lieu of a SSP, though they may not submit an ASP
  in lieu of an SVA, i.e., Tier 1, 2, 3
  facilities must submit a CSAT SVA
• Notification
• DHS will inform a covered facility of the
  approval or disapproval of an ASP in a fashion
  similar to notifications provided for following
  approval or disapproval of an SVA or SSP

13
Orders Adjudications

• Orders
• When DHS determines that a facility is in
  violation of any of the regulatory requirements,
  DHS may take appropriate action including the
  issuance of an appropriate Order
• Types of orders include Orders Assessing Civil
  Penalty and Orders to Cease Operations
• Civil penalties not to exceed 25,000 per day per
  violation
• Orders will include a description of the
  noncompliance, how to address the noncompliance,
  and the date by which the facility must comply
  with terms of the order
• Adjudication
• Any facility who has received a finding is
  entitled to an adjudication of any issue of
  material fact relevant to any administrative
  action which deprives that person of a cognizable
  interest in liberty or property
• Adjudications will be heard by a neutral
  adjudications officer
• Findings eligible for adjudication include
  potential security threat designations, SSP
  disapproval, and issuance of Orders
• To challenge a DHS determination, applicants must
  file Notice of Application for Review within
  seven calendar days of receipt of notification to
  the affected party of DHS Finding,
  Determination, or Order
• Orders typically are stayed from the time of the
  filing of a Notice of Application for Review
  until the Presiding Office issues an Initial
  Decision
• Appeals
• If an affected party disagrees with the Initial
  Decision received in the adjudication process, it
  has the right to appeal that decision to the
  Under Secretary

14
Chemical-terrorism Vulnerability Information

• Chemical-terrorism Vulnerability Information
  (CVI)
• CVI is an information handling regime established
  for the maintenance, safeguarding, and disclosure
  of the certain information and records related to
  the CFATS regulatory regime, including
• Security Vulnerability Assessments
• Site Security Plans
• Documents related to the review and approval of
  SVAs and SSPs
• Alternate Security Plans
• Documents related to inspections or audits, etc.
• Other similar documents
• All CVI materials must be appropriately marked,
  handled, and stored
• Eligible Persons to use CVI
• The following classes of people may use CVI if
  they have a need to know
• Facility employees
• Federal employees, contractors, and grantees
• State/local government employees
• CVI access will include training and
  certification
• Violation of CVI
• Violation of CVI is grounds for a civil penalty
  and other enforcement or corrective action by DHS
  and appropriate personnel actions for Federal
  employees

15
Review and Preemption of State Laws and
Regulations

• Preemption
• No law, regulation, or administrative action of a
  State or political subdivision thereof shall have
  any effect if such conflicts with, hinders, poses
  an obstacle to, or frustrates the purposes of
  this regulation or of any approval, disapproval,
  or order issued thereunder
• Review of State Laws
• DHS may review State laws, administrative
  actions, or opinions or orders of a court under
  State law and regulations submitted under this
  section, and may offer an opinion whether the
  application or enforcement of the State law or
  regulation would conflict with, hinder, pose and
  obstacle to or frustrate the purposes of this
  Part
• DHS may issue an opinion on any question
  regarding preemptions
• DHS will always seek the views of the State or
  local jurisdiction whose laws may be affected by
  the review