Chemical-terrorism Vulnerability Information (CVI)

Chemical-terrorism Vulnerability Information (CVI) is the information protection regime administered under the Chemical Facility Anti-Terrorism Standards (CFATS) regulation to ensure information chemical facilities provide to the Cybersecurity and Infrastructure Security Agency (CISA) is protected from public disclosure or misuse. Accordingly, the Agency expects individuals in possession of CVI to safeguard it with equal care.

For access to CVI—which includes having a need to know and obtaining an Authorized User number—visit the CVI training page. Only CVI Authorized Users can access CFATS-related documents housed in the portal.

The CVI Procedures Manual provides guidance to anyone authorized to possess, disclose, or receive CVI on how to ensure sensitive information about the Nation's high-risk chemical facilities is safeguarded.

CVI Overview

The Homeland Security Appropriations Act of 2007, Pub. L. No. 109-295 directed the Department to protect any information developed or submitted under Section 550 of the Act from inappropriate public disclosure. This includes information that is developed and/or submitted to CISA under the CFATS regulation (6 CFR Part 27). In 2014, Congress reauthorized and amended CFATS through the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014, Pub. L. No. 113-254.

A covered person is an individual who has a need to know CVI or someone who gains access to what they know to be or reasonably know to constitute CVI.

Defining CVI

The following information (whether written, verbal, electronic, digital, or otherwise) is specified in 6 CFR § 27.400(b)(1) to (9) as CVI:

  • Security Vulnerability Assessment (SVAs) under 6 CFR § 27.215
  • Site Security Plan (SSPs) under 6 CFR § 27.225
  • Documents relating to the Agency's review and approval of SVA and SSP, including Letters of Authorization, Letters of Approval, and responses thereto; written notices; and other documents developed pursuant to 6 CFR §§ 27.240 or 27.245
  • Alternative Security Program (ASPs) under 6 CFR § 27.235
  • Documents relating to inspections or audits under 6 CFR § 27.250
  • Any records required to be created or retained by a covered facility under 6 CFR § 27.255
  • Sensitive portions of orders, notices, or letters under 6 CFR § 27.300
  • Information developed pursuant to 6 CFR §§ 27.200 or 27.205 (such as the CSAT Top-Screen and the determination by the Assistant Secretary that a chemical facility presents a high level of security risk)
  • Other information developed for chemical facility security purposes that the Secretary, in his discretion, determines is similar to the information protected in 6 CFR § 27.400(b)(1) through (8)

The process for a facility to seek designation of CVI under 6 CFR § 27.400(b)(9) is described in Section 5.3 of the Revised CVI Procedures Manual.

Handling CVI

Materials containing CVI must be appropriately designated and withheld from public disclosure. CVI must also be physically controlled and protected. The protections include:

  • Storage of CVI
  • Marking of CVI
  • Transmission of CVI
  • Responsibilities when in transit with CVI
  • Destruction of CVI

Use the CVI cover sheet to help safeguard CVI from unauthorized or inadvertent disclosure by placing it on the front and back of transmittal letters, reports, or documents.

Sharing CVI

Access to and/or disclosure of CVI is based on the following general principles:

  1. Except in exigent or emergency circumstances, CVI may only be disclosed to CVI Authorized Users with a need to know.
  2. A need to know should be assessed on a case-by-case basis (typically including an individualized assessment of the documents involved).
  3. A covered person in possession of CVI should take reasonable steps to confirm that any individual seeking access to CVI is a CVI Authorized User and has a need to know.

CISA provides each CVI Authorized User with a unique identification number. Before sharing CVI, ask for this number. You can contact the CSAT Help Desk at 866-323-2957 to confirm a person's CVI Authorized User status.

Contact Information

Visit the CFATS Knowledge Center for an online repository of frequently asked questions, articles, and the latest CFATS program news.

If you have questions, call the CFATS Help Desk at 866-323-2957 Monday through Friday (except federal holidays) from 8:30 a.m. to 5 p.m. (ET), or email

Was this document helpful?  Yes  |  Somewhat  |  No