Following the review of a facility’s Top-Screen submission, the Cybersecurity and Infrastructure Security Agency (CISA) will notify the facility if it is considered to be high-risk and covered under CFATS, and assigned to Tier 1, 2, 3, or 4, with Tier 1 representing the highest risk.
All covered chemical facilities are required to submit a Security Vulnerability Assessment (SVA) and one of two types of security plans—Site Security Plan (SSP) or the Alternative Security Program (ASP)—through the Chemical Security Assessment Tool (CSAT) for CISA approval.
The facility's SVA and SSP due dates run in parallel—both must be submitted within 120 days from the date of written notification from CISA. Tier 4 facilities may elect to submit an ASP in lieu of an SVA. Tier 1-4 facilities may submit an ASP in lieu of an SSP.
- The CSAT 2.0 SVA/SSP Instructions provide a question-by-question walk through of the SVA and SSP surveys.
Security Vulnerability Assessment (SVA)
All covered chemical facilities are required to complete an SVA via CSAT to identify the facility’s use of chemicals of interest (COI), critical assets, and measures related to the facility’s policies, procedures, and resources that are necessary to support the facility’s security plan.
The SVA provides an analysis of the facility’s security posture and potential vulnerabilities which may include incomplete documentation, lack of training, or insufficient resources.
What is a Critical Asset?
A critical asset is an asset whose theft, diversion, loss, damage, disruption, or degradation would result in a significant adverse impact to human life, national security, or a critical economic asset.
Assets include but are not limited to:
- Physical security infrastructure, activities, procedures, personnel, or measures that comprise all or part of the facility’s system for managing security risks
- Physical safety infrastructure, activities, procedures, personnel, or measures that comprise all or part of the facility’s system for managing process safety and emergency response measures
- Cyber systems involved in the management of processes, process safety, security, product or material stewardship, or business management and control
- Vessels, process equipment, piping, transport vessels, or any container or equipment used in the processing or holding of chemicals
- On-site and off-site response protocols
- Warehouses, vaults, storage bays, and similar infrastructure; and
- Specially trained, qualified personnel who are engaged in the management of security and safety risk
Site Security Plan (SSP)
Along with the SVA, all covered chemical facilities are required to submit an SSP—a CSAT generated, easy-to-use online questionnaire that allows a facility to describe existing or planned security measures tailored to the risk level (Tier 1, Tier 2, Tier 3, or Tier 4) and unique considerations of the facility.
An SSP must meet the CFATS Risk-Based Performance Standards (RBPS). The CFATS RBPS Guidance assists high-risk chemical facilities in selecting security measures and activities such as perimeter security, access control, personnel security, cyber security, and more.
Alternative Security Program (ASP)
All covered chemical facilities have the option of submitting an ASP in place of the SSP. The ASP allows a facility to develop its own template document for addressing CFATS requirements. An ASP must describe how the facility’s security measures will meet or exceed each applicable RBPS and should appropriately address the tier and security concerns of the facility.
- CSAT 2.0 Personnel Surety Program (PSP) Instructions
- CSAT 2.0 Portal User Manual
- CSAT 2.0 Survey Application User Manual
- CSAT 2.0 SVA/SSP Instructions
- CSAT 2.0 Top-Screen Instructions
Visit the CFATS Knowledge Center for an online repository of frequently asked questions, articles, and the latest CFATS program news.
If you have additional questions, please call the CFATS Help Desk at 866-323-2957 Monday through Friday (except federal holidays) from 8:30 a.m. to 5 p.m. (ET).