These metrics show the maturation and growth of the Chemical Facility Anti-Terrorism Standards (CFATS) program (6 CFR Part 27). Metrics under “Since Inception” include facilities that were tiered when the activity occurred but were subsequently determined to no longer be high-risk. Typical reasons for a change in high-risk status includes removal of chemicals of interest (COI), reduction of the quantity of COI onsite, replacement of the COI with a lower concentration COI, and/or facility sale or closure.
Note: This regulatory program is cyclical in nature, meaning activities such as Compliance Inspections (CIs) are recurring. The Cybersecurity and Infrastructure Security Agency (CISA) began conducting recurring CIs in March 2017.
To date, CISA has received more than 103,000 Top-Screen submissions from more than 43,000 unique facilities. Of these, CFATS currently covers 3,246 facilities. These high-risk facilities are divided into four tiers, with Tier 1 facilities posing the highest security risk. Learn more about the CFATS Process.
|Activity||Since Inception||December 2021|
|Authorization Inspections (AIs)*||4,480||11|
|Compliance Inspections (CIs)*||8,390||116|
|Compliance Assistance Visit (CAVs)*||9,608||62|
Note: If an activity is canceled, it will be removed from the system. This may lead to a small change in the monthly numbers.
* To minimize the possibility that personnel spread or became exposed to COVID-19, CISA postponed nearly all Authorization Inspections, Compliance Inspections, and other onsite visits beginning in mid-March 2020. In June 2020, CISA began piloting three options for modified compliance operations to verify that high-risk facilities are maintaining the security measures in their security plans during this pandemic operational environment while also limiting in-person interactions between CISA inspectors and facility personnel. Based on the pilot, CISA is now conducting modified compliance operations, which include Compliance Audits, modified Authorization and Compliance Inspections, and high-priority compliance assistance.
CFATS Facility Status
Approved Facilities: This metric shows the number of facilities that are currently approved. Once a facility’s security plan (Site Security Plan [SSP] or Alternative Security Program [ASP]) is approved and a Letter of Approval is issued, the facility enters into a regulatory cycle of CIs.
Authorized Facilities: This metric shows the number of facilities that are currently authorized. Once a facility has submitted their security plan (SSP or ASP), a Letter of Authorization will be issued if the security measures appear to satisfy the applicable established risk-based performance standards (RBPS) requirements.
Authorization Inspections (AIs): This metric shows the number of Authorization Inspections completed. Once a Letter of Authorization is issued, an AI is conducted at facilities to verify and validate that the content listed in the facility’s SSP or ASP is accurate and complete, and that existing and planned equipment, processes, and procedures are appropriate and sufficient to meet the RBPS specified in the CFATS regulation. This inspection occurs prior to the final approval of the facility’s SSP or ASP.
Compliance Assistance Visits (CAVs): This metric shows the number of Compliance Assistance Visits completed. CAVs provide CFATS-covered facilities and facilities of interest an in-depth knowledge of how to meet CFATS requirements, such as determining COI reporting requirements, submitting or resubmitting a Top-Screen, developing an SSP or ASP, editing an SSP based on a change in security posture or tiering, or assistance in complying with any other part of the regulation. Compliance assistance also includes interactions and compliance assistance communications between CISA and high-risk facilities that occurred between March and May 2020 during the height of the COVID-19 pandemic in which no visit was actually made.
Compliance Audits: This metric shows the number of Compliance Audits conducted. During a Compliance Audit, CISA inspectors remotely review and then lead a discussion with facility personnel on records and documentation related to the facility’s COI and the security measures described in the facility’s security plan.
Compliance Inspections (CIs): This metric shows the number of Compliance Inspections completed. A CI is conducted after a Letter of Approval has been issued. It is part of the recurring inspection process to ensure the covered facility continues to implement its approved SSP or ASP, and that existing and planned security measures are appropriate and sufficient to meet the RBPS. CIs will typically occur every one to two years, or as needed.
Tiered Facilities: Once a facility has submitted a Top-Screen, CISA uses a risk-based tiering methodology to determine if the facility is high-risk. This metric shows the number of high-risk facilities that are currently tiered and are pending Authorizations and Approval.