CFATS Covered Facilities and Inspections


Two chemical tanksUnder CFATS, a chemical facility is any establishment or individual that possesses or plans to possess any of the more than 300 chemicals of interest (COI) listed in Appendix A at or above the specified screening threshold quantity (STQ) and concentration.

Through the CFATS process, the Cybersecurity and Infrastructure Security Agency (CISA) determines whether or not a facility is high-risk; assigns the facility a tier level of 1, 2, 3, or 4 with Tier 1 representing the highest-risk; and reviews and approves the facility’s security plan (Site Security Plan [SSP] or Alternative Security Program [ASP]).

Chemical security is not a temporary issue. After a high-risk chemical facility’s SSP/ASP is approved by CISA, the facility must continue to fully implement the security measures. CISA conducts inspections and/or audits at each of the CFATS covered facilities to review and approve security plans and to ensure facilities are continuing to fully implement the approved security measures.

CFATS Covered Facilities

The CFATS regulation applies to facilities across many industries—chemical manufacturing, storage and distribution, energy and utilities, agriculture and food, explosives, mining, electronics, plastics, universities and laboratories, paint and coatings, healthcare and pharmaceuticals.

CFATS Inspections

CISA conducts two types of inspections to verify and ensure high-risk chemical facilities are implementing security measures listed in their SSP/ASP.

Authorization Inspection (AI)

After a facility submits either a SSP/ASP for review, CISA inspectors conduct an AI at the facility to verify and validate that the content listed in their security plan is accurate and complete, and to assist the facility in resolving any potential gaps identified. In order for the SSP/ASP to be approved, the facility’s existing and planned equipment, processes, and procedures must sufficiently meet the Risk-Based Performance Standards (RBPS).

Compliance Inspection (CI)

CISA inspectors conduct a CI to ensure that a facility continues to fully implement the existing and planned security measures described in the facility’s approved security plan, and to sufficiently meet the RBPS; and that any required corrective actions have been implemented and are sustainable. In addition, a CI can be conducted to discuss issues raised by CISA after a review of the facility’s case file.

Modified COVID-19 Compliance Operations

To minimize the possibility that personnel spread or become exposed to COVID-19, CISA had postponed nearly all Authorization Inspections, Compliance Inspections, and other onsite visits between mid-March and May 2020.

In June 2020, CISA piloted several options for modified compliance operations to verify that high-risk facilities are maintaining the security measures in their security plans during this pandemic operational environment while also limiting in-person interactions between CISA inspectors and facility personnel. Based on the pilot, CISA is now conducting modified compliance operations and high-priority compliance assistance.

CISA inspectors will be in contact if your facility had an inspection postponed or have an upcoming inspection. If you have any questions, please contact your local CISA inspector or email CFATS@hq.dhs.gov.

Facilities Excluded from CFATS

Certain facilities are excluded from the CFATS regulations by statute if they are:

  • Regulated by the Maritime Transportation Security Act (33 CFR Part 105). For facilities where only a portion of the facility is regulated under MTSA, and the facility possesses a threshold level of a COI in the portion of the facility not covered under MTSA, then the facility is only partially excluded and must complete a Top-Screen for the portion of the facility not subject to MTSA.
  • A public water system, as defined in 42 U.S.C. § 300.
  • A treatment works, as defined in 33 U.S.C. § 1292.
  • Owned or operated by the Department of Defense or Department of Energy
  • Subject to regulation by the Nuclear Regulatory Commission (NRC) (42 U.S.C. § 2021). The exclusion does not apply to NRC-licensed facilities that only have a few radioactive sources and for which NRC security requirements are not imposed. The scope of exclusion has been formalized in a memorandum of understanding between CISA and the NRC including waste in combined storm water and sanitary sewer systems.

An agricultural production facility that uses the COI on crops, feed, land, livestock, or poultry may also be granted an indefinite time extension from reporting COI to CISA. Read more in Federal Register Vol. 73, No. 6, page 1640.

The Transportation Security Administration is the lead component within the Department for regulating the security of transportation facilities such as railroads and natural gas pipelines. The Agency does not currently require railroad facilities and truck terminals that possess COI at or above the STQ to complete the Top-Screen. See FAQs 1178 and 1780 on the CFATS Knowledge Center for more information.

The CFATS regulation does require the reporting of COI that meet or exceed the STQ and concentration found within any rail car that is detached from motive power. However, if the COI is attached to motive power, the COI does not need to be reported. The regulation requires the reporting of threshold quantities of theft/diversion and sabotage COI within any rail car at the facility, whether or not the rail car is attached or detached from motive power.

Covered chemical facilities with a pipeline within their boundaries must also identify the pipeline as an asset and address it, as appropriate, in the facility's Security Vulnerability Assessment/Site Security Plan.

Contact Information

Visit the CFATS Knowledge Center for an online repository of frequently asked questions, articles, and the latest CFATS program news.

For more information about the CFATS program, please contact CFATS@hq.dhs.gov.

Was this document helpful?  Yes  |  Somewhat  |  No