The Chemical Facility Anti-Terrorism Standards (CFATS) regulation (6 CFR Part 27) applies to any facility—from an individual to an establishment—that possesses any chemical of interest (COI) at or above the screening threshold quantity (STQ) and concentration listed in Appendix A.
Before beginning the CFATS process, check the statutory exclusions.
If your facility is not statutorily excluded and possesses any Appendix A COI at or above STQ and concentration, you must report your chemical holdings to the Cybersecurity and Infrastructure Security Agency (CISA) through a Top-Screen. The purpose of CFATS is to ensure that any facility identified by CISA as high-risk following its submission of a Top-Screen has sufficient security measures in place to reduce the risks associated with its COI.
Chemical-Terrorism Vulnerability Information (CVI)
Only CVI-certified individuals can access the CFATS-related applications in the Chemical Security Assessment Tool (CSAT). CVI ensures that information provided to CISA will be protected from public disclosure or misuse. Accordingly, CISA requires individuals in possession of CVI to safeguard it with equal care.
- Complete the CVI Authorized User Training.
Register Your Facility for CSAT Access
The Chemical Security Assessment Tool (CSAT) is a secure, online portal that helps facilities maneuver through the CFATS process. The portal houses the CFATS-related applications.
- Register your facility for access to CSAT. After registering your facility, CISA will email you a user identification and password to access CSAT.
- Review the CSAT 2.0 Portal User Manual.
- Review the CSAT 2.0 Survey Application User Manual.
Submit a Top-Screen and Receive a Risk Determination
The Top-Screen is a survey that starts the reporting process. All facilities have 60 days from the time they come into possession of COI to submit a Top-Screen. CISA reviews your Top-Screen using a risk-based methodology to determine if your facility is “high-risk.” If you are deemed “high-risk,” you will receive a Tier of 1, 2, 3, or 4, with Tier 1 being the highest risk.
Complete an Assessment and Submit a Security Plan
Tiered facilities must submit a Security Vulnerability Assessment (SVA) and a Site Security Plan (SSP) or an Alternative Security Plan (ASP) that meet the CFATS Risk-Based Performance Standards (RBPS). Tier 3 and 4 facilities also have the option to submit an Expedited Approval Program (EAP) SSP in lieu of an SSP or ASP.
The CFATS RBPS Guidance assists high-risk chemical facilities in selecting security measures and activities—perimeter security, access control, personnel security, cyber security, and more—that are tailored to the tier level and unique considerations of the facility.
- Login to CSAT to submit an SVA and a SSP/ASP.
- Review the CSAT SVA/SSP Instructions, which provide a question-by-question walk through of the SVA and SSP/ASP surveys.
Authorization and Authorization Inspection (AI)
Upon receipt of an SSP or ASP from your facility (but not an EAP SSP), the Agency will review the documentation and make an initial determination as to whether it satisfies the requirements of the CFATS regulation. If the Agency finds that the requirements are satisfied, your facility will receive a Letter of Authorization.
A CISA Inspector will then be in contact to schedule an Authorization Inspection (AI). The AI will verify the content listed in the security plan is accurate and that existing and planned measures satisfy the RBPS requirements.
Note: If the SSP/ASP does not meet RBPS requirements, your facility must address the deficiencies and resubmit the SSP/ASP by the specified date.
If the Agency approves the SSP/ASP, your facility will receive a Letter of Approval and enter into the compliance cycle.
EAP SSP Acceptance
Tier 3 and 4 facilities also have the option of submitting an EAP SSP in lieu of an SSP or ASP. Your submission will be accepted if it is not found to be facially deficient. If accepted, your facility will not undergo the authorization process. Instead, your facility will immediately enter into the compliance cycle.
CISA Inspectors will conduct reoccurring Compliance Inspections (CI) to ensure your facility continues to fully implement the approved security measures.
For more information regarding the CFATS program, please contact CFATS@hq.dhs.gov.