Chemical-terrorism Vulnerability Information (CVI)

Chemical-terrorism Vulnerability Information (CVI) is the information protection regime administered under the Chemical Facility Anti-Terrorism Standards (CFATS) regulation to ensure information chemical facilities provide to the Cybersecurity and Infrastructure Security Agency (CISA) is protected from public disclosure or misuse. Accordingly, the Agency expects individuals in possession of CVI to safeguard it with equal care.

For access to CVI—which includes having a need to know and obtaining an Authorized User number—visit the CVI training page. Only CVI Authorized Users can access CFATS-related documents housed in the Chemical Security Assessment Tool (CSAT).

The CVI Procedures Manual (PDF, 647 KB) provides guidance to anyone authorized to possess, disclose, or receive CVI on how to ensure sensitive information about the nation's high-risk chemical facilities is safeguarded.

CVI Overview

The Homeland Security Appropriations Act of 2007, Pub. L. No. 109-295 directed the Department to protect any information developed or submitted under Section 550 of the Act from inappropriate public disclosure. This includes information that is developed and/or submitted to CISA under the CFATS regulation (6 CFR Part 27). In 2014, Congress reauthorized and amended CFATS through the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014, Pub. L. No. 113-254.

A covered person is an individual who has a need to know CVI or someone who gains access to what they know to be or reasonably know to constitute CVI.

Defining CVI

The following information (whether written, verbal, electronic, digital, or otherwise) is specified in 6 CFR § 27.400(b)(1) to (9) as CVI:

The process for a facility to seek designation of CVI under 6 CFR § 27.400(b)(9) is described in Section 5.3 of the Revised CVI Procedures Manual (PDF, 647 KB).

Handling CVI

Materials containing CVI must be appropriately designated and withheld from public disclosure. CVI must also be physically controlled and protected. The protections include:

  • Storage of CVI
  • Marking of CVI
  • Transmission of CVI
  • Responsibilities when in transit with CVI
  • Destruction of CVI

Use the CVI cover sheet (PDF, 41 KB) to help safeguard CVI from unauthorized or inadvertent disclosure by placing it on the front and back of transmittal letters, reports, or documents.

Sharing CVI

Access to and/or disclosure of CVI is based on the following general principles:

  1. Except in exigent or emergency circumstances, CVI may only be disclosed to CVI Authorized Users with a need to know.
  2. A need to know should be assessed on a case-by-case basis (typically including an individualized assessment of the documents involved).
  3. A covered person in possession of CVI should take reasonable steps to confirm that any individual seeking access to CVI is a CVI Authorized User and has a need to know.

CISA provides each CVI Authorized User with a unique identification number. Before sharing CVI, ask for this number. You can contact the CSAT Help Desk at 866-323-2957 to confirm a person's CVI Authorized User status.

Contact Information

Visit the CFATS Knowledge Center for an online repository of frequently asked questions, articles, and the latest CFATS program news.

If you have questions or need technical assistance, contact the CSAT Help Desk at 866-323-2957 Monday through Friday (except federal holidays) from 8:30 a.m. to 5 p.m. (ET) or via email at

Was this webpage helpful?  Yes  |  Somewhat  |  No