The Chemical Facility Anti-Terrorism Standards (CFATS) Expedited Approval Program (EAP) is an optional process that Tier 3 and Tier 4 high-risk chemical facilities can choose to submit their Site Security Plan (SSP) for approval from CISA to bypass the pre-approval authorization and Authorization Inspection step in the CFATS process. Facilities with an approved EAP SSP enter directly into the CFATS regulatory cycle.
- Read or download the CFATS EAP Fact Sheet
- Read or download the DHS Guidance for the Expedited Approval Program
The Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014 (“CFATS Act of 2014”), Public Law 113-254 (6 U.S.C. § 621, et seq.), established the Expedited Approval Program (EAP), and directed the Department of Homeland Security (DHS) to issue prescriptive guidance that “identifies specific security measures that are sufficient to meet the risk-based performance standards” for facilities that choose to submit an SSP pursuant to the EAP. See 6 U.S.C § 622(c)(4)(B)(i).
Along with the EAP SSP, the facility must submit a certification (see below) that certifies the owner or operator has visited, examined, documented, and verified that the facility meets the criteria in the SSP. See 6 U.S.C. § 622(c)(4)(C).
DHS Guidance for EAP
The DHS Guidance for the Expedited Approval Program provides Tier 3 and 4 covered chemical facilities with a better understanding of security measures that could be used to meet the Risk-Based Performance Standards (RBPS), and helps identify and select processes, measures, and activities they may choose to implement in order to secure and monitor their facility. The prescriptive measures contained in the Guidance are intended to apply specifically to facilities that elect to participate in the EAP.
Note: The security posture of facilities submitting a security plan (SSP or Alternative Security Program [ASP]) through the regular, nonprescriptive CFATS process will continue to be evaluated against the RBPS in a holistic fashion.
The certification is a document that is signed under penalty of perjury by the owner or operator of an expedited approval facility and submitted with the EAP SSP that certifies compliance with all of the requirements contained in 6 U.S.C. § 622(c)(4)(C).
Participation in the EAP
A facility that elects to submit an SSP under the EAP must notify CISA of its intention to do so at least 30 days prior to submitting the SSP and certification via the Agency's Chemical Security Assessment Tool (CSAT), or via a letter sent to:
Department of Homeland Security
Cybersecurity and Infrastructure Security Agency
Infrastructure Security Division
245 Murray Lane, Mail Stop 0610
Arlington, VA 20528
All Tier 3 and Tier 4 facilities that choose to use the EAP to submit an SSP must include security measures that cover all of the RBPS. The security measures within the EAP SSP must either be existing security measures or planned measures with a clear timeline for implementation not to exceed twelve (12) months from date of the approval. See 6 U.S.C. § 622(c)(4)(C)(v).
If a facility uses a security measure that materially deviates from a measure specified in the Guidance, then the facility’s SSP must identify the deviation for the specific security measure and explain how the new measure meets the relevant RBPS. See 6 U.S.C. § 622(c)(4)(B)(ii).
For further questions about the EAP, please contact CFATS@hq.dhs.gov.