CFATS Covered Facilities and Inspections

Two chemical tanksUnder CFATS, a chemical facility is any establishment or individual that possesses or plans to possess any of the more than 300 chemicals of interest (COI) listed in Appendix A at or above the specified screening threshold quantity (STQ).

Through the CFATS process, the Cybersecurity and Infrastructure Security Agency (CISA) determines whether or not a facility is high-risk; assigns the facility a tier level of 1, 2, 3, or 4 with Tier 1 representing the highest-risk; and reviews and approves the facility’s security plan (Site Security Plan [SSP] or Alternative Security Program [ASP]).

Chemical security is not a temporary issue. After a high-risk chemical facility’s SSP/ASP is approved by CISA, the facility must continue to fully implement the security measures. CISA conducts inspections and/or audits at each of the CFATS covered facilities to review and approve security plans and to ensure facilities are continuing to fully implement the approved security measures.

CFATS Covered Facilities

The CFATS regulation applies to facilities across many industries—chemical manufacturing, storage and distribution, energy and utilities, agriculture and food, explosives, mining, electronics, plastics, universities and laboratories, paint and coatings, healthcare and pharmaceuticals.

CFATS Inspections

CISA conducts two types of inspections to verify and ensure high-risk chemical facilities are implementing security measures listed in their SSP/ASP.

Authorization Inspection (AI)

After a facility submits either a SSP/ASP for review, CISA inspectors conduct an AI at the facility to verify and validate that the content listed in their security plan is accurate and complete, and to assist the facility in resolving any potential gaps identified. In order for the SSP/ASP to be approved, the facility’s existing and planned equipment, processes, and procedures must sufficiently meet the Risk-Based Performance Standards (RBPS).

Compliance Inspection (CI)

CISA inspectors conduct a CI to ensure that a facility continues to fully implement the existing and planned security measures described in the facility’s approved security plan, and to sufficiently meet the RBPS; and that any required corrective actions have been implemented and are sustainable. In addition, a CI can be conducted to discuss issues raised by CISA after a review of the facility’s case file.

Modified COVID-19 Compliance Operations

To minimize the possibility that personnel spread or become exposed to COVID-19, CISA has postponed nearly all Authorization Inspections, Compliance Inspections, and other onsite visits since mid-March 2020.

Effective June 2020, CISA is piloting three options for modified compliance operations to verify that high-risk facilities are maintaining the security measures in their security plans during this pandemic operational environment while also limiting in-person interactions between CISA inspectors and facility personnel.

CISA inspectors will be in contact if your facility had an inspection postponed or have an upcoming inspection. If you have any questions, please contact your local CISA inspector or email

Facilities Excluded from CFATS

Certain facilities are excluded from the CFATS regulations by statute if they are:

  • Regulated by the Maritime Transportation Security Act
  • A public water system, as defined in 42 U.S.C. § 300
  • A treatment works, as defined in 33 U.S.C. § 1292
  • Owned or operated by the Department of Defense or Department of Energy
  • Subject to regulation by the Nuclear Regulatory Commission

An agricultural production facility that uses the COI on crops, feed, land, livestock, or poultry may also be granted an indefinite time extension from reporting COI to CISA. Read more in Federal Register Vol. 73, No. 6, page 1640.

The Transportation Security Administration is the lead component within the Department for regulating the security of transportation facilities such as railroads and natural gas pipelines. The Agency does not currently require railroad facilities that possess COI that meet or exceed the STQ to complete the Top-Screen.

The CFATS regulation does require the reporting of COI that meet or exceed the STQ found within any rail car that is detached from motive power. However, if the COI is attached to motive power, the COI does not need to be reported. The regulation requires the reporting of threshold quantities of theft/diversion and sabotage COI within any rail car at the facility, whether or not the rail car is attached or detached from motive power.

Covered chemical facilities with a pipeline within their boundaries must also identify the pipeline as an asset and address it, as appropriate, in the facility's Security Vulnerability Assessment/Site Security Plan.

Contact Information

Visit the CFATS Knowledge Center for an online repository of frequently asked questions, articles, and the latest CFATS program news.

For more information about the CFATS program, please contact

Was this document helpful?  Yes  |  Somewhat  |  No