The Chemical Facility Anti-Terrorism Standards (CFATS) program requires a facility that is determined to be high-risk to develop and implement security measures that meet applicable risk-based performance standards (RBPS) for securing chemicals of interest (COI).
Both the Homeland Security Appropriations Act of 2007, Pub. L. No. 109-295 § 550 and CFATS, 6 CFR Part 27, provide authority for the Cybersecurity and Infrastructure Security Agency (CISA) to conduct authorization inspections. Specifically, 6 CFR § 27.250(a) provides authority for the Agency to enter, inspect, and audit the property, equipment, operations, and records of CFATS covered facilities.
While the Agency is committed to helping facility personnel understand and comply with CFATS by providing technical assistance or onsite consultation, CISA also has the authority to enforce compliance with the program.
CFATS violations are divided into several categories:
- Failure to File Violations
- Submission of False Information
- Security Vulnerability Assessment (SVA)/Site Security Plan (SSP)/Alternative Security Program (ASP) Deficiencies (generally found during the authorization and approval process)
- SSP/ASP Infractions (generally found during Compliance Inspections)
- Chemical-terrorism Vulnerability Information (CVI) Violations
CFATS Penalty Policy
CISA is authorized to issue an Administrative Order (A Order) and an Order Assessing Civil Penalty (B Order) to a chemical facility found to be in violation of CFATS. Both A Orders and B Orders may be appealed pursuant to the procedures set forth in 6 CFR Part 27 Subpart C.