CFATS Process

The Chemical Facility Anti-Terrorism Standards (CFATS) regulation (6 CFR Part 27) applies to any facility—from an individual to an establishment—that possesses any chemical of interest (COI) at or above the screening threshold quantity (STQ) and concentration listed in Appendix A.

Before beginning the CFATS process, check the statutory exclusions.

If your facility is not statutorily excluded and possesses any Appendix A COI at or above STQ and concentration, you must report your chemical holdings to the Cybersecurity and Infrastructure Security Agency (CISA) through a Top-Screen. The purpose of CFATS is to ensure that any facility identified by CISA as high-risk following its submission of a Top-Screen has sufficient security measures in place to reduce the risks associated with its COI.

This is the chart of the CFATS steps facilities with DHS Appendix A chemicals of interest (COI) should follow to determine if they are covered under CFATS as explained in the following text.

Process Steps

Chemical-Terrorism Vulnerability Information (CVI)

Only CVI-certified individuals can access the CFATS-related applications in the Chemical Security Assessment Tool (CSAT). CVI ensures that information provided to CISA will be protected from public disclosure or misuse. Accordingly, CISA requires individuals in possession of CVI to safeguard it with equal care.

Register Your Facility for CSAT Access

The Chemical Security Assessment Tool (CSAT) is a secure, online portal that helps facilities maneuver through the CFATS process. The portal houses the CFATS-related applications.

Submit a Top-Screen and Receive a Risk Determination

The Top-Screen is a survey that starts the reporting process. All facilities have 60 days from the time they come into possession of COI to submit a Top-Screen. CISA reviews your Top-Screen using a risk-based methodology to determine if your facility is “high-risk.” If you are deemed “high-risk,” you will receive a Tier of 1, 2, 3, or 4, with Tier 1 being the highest risk.

Complete an Assessment and Submit a Security Plan

Tiered facilities must submit a Security Vulnerability Assessment (SVA) and a Site Security Plan (SSP) or an Alternative Security Plan (ASP) that meet the CFATS Risk-Based Performance Standards (RBPS). Tier 3 and 4 facilities also have the option to submit an Expedited Approval Program (EAP) SSP in lieu of an SSP or ASP.

The CFATS RBPS Guidance assists high-risk chemical facilities in selecting security measures and activities—perimeter security, access control, personnel security, cyber security, and more—that are tailored to the tier level and unique considerations of the facility.

Authorization and Authorization Inspection (AI)

Upon receipt of an SSP or ASP from your facility (but not an EAP SSP), the Agency will review the documentation and make an initial determination as to whether it satisfies the requirements of the CFATS regulation. If the Agency finds that the requirements are satisfied, your facility will receive a Letter of Authorization.

A CISA Inspector will then be in contact to schedule an Authorization Inspection (AI). The AI will verify the content listed in the security plan is accurate and that existing and planned measures satisfy the RBPS requirements.

Note: If the SSP/ASP does not meet RBPS requirements, your facility must address the deficiencies and resubmit the SSP/ASP by the specified date.

SSP/ASP Approval

If the Agency approves the SSP/ASP, your facility will receive a Letter of Approval and enter into the compliance cycle.

EAP SSP Acceptance

Tier 3 and 4 facilities also have the option of submitting an EAP SSP in lieu of an SSP or ASP. Your submission will be accepted if it is not found to be facially deficient. If accepted, your facility will not undergo the authorization process. Instead, your facility will immediately enter into the compliance cycle.

Compliance Inspections

CISA Inspectors will conduct reoccurring Compliance Inspections (CI) to ensure your facility continues to fully implement the approved security measures.

CFATS Process Video

The CFATS Process (YouTube video) describes the process for complying with the CFATS regulation for facilities that possess COI.

Contact Information

For more information regarding the CFATS program, please contact

Was this webpage helpful?  Yes  |  Somewhat  |  No