Chemical Facility Anti-Terrorism Standards (CFATS) Covered Chemical Facilities
As of July 28, 2023, Congress has allowed the statutory authority for the Chemical Facility Anti-Terrorism Standards (CFATS) program (6 CFR Part 27) to expire.
Therefore, CISA cannot enforce compliance with the CFATS regulations at this time. This means that CISA will not require facilities to report their chemicals of interest or submit any information in CSAT, perform inspections, or provide CFATS compliance assistance, amongst other activities. CISA can no longer require facilities to implement their CFATS Site Security Plan or CFATS Alternative Security Program.
CISA encourages facilities to maintain security measures. CISA’s voluntary ChemLock resources are available on the ChemLock webpages.
If CFATS is reauthorized, CISA will follow up with facilities in the future. To reach us, please contact CFATS@hq.dhs.gov.
Under CFATS, a chemical facility is any establishment or individual that possesses or plans to possess any of the more than 300 chemicals of interest (COI) listed in Appendix A at or above the specified screening threshold quantity (STQ) and concentration.
Through the CFATS process, the Cybersecurity and Infrastructure Security Agency (CISA) determines whether or not a facility is high-risk; assigns high-risk facilities a tier level of 1, 2, 3, or 4 with Tier 1 representing the highest risk; and reviews and approves the facility's security plan (Site Security Plan [SSP] or Alternative Security Program [ASP]).
Chemical security is not a temporary issue. After a high-risk chemical facility's SSP/ASP is approved by CISA, the facility must continue to fully implement the security measures. CISA conducts inspections and/or audits at each of the CFATS covered facilities to review and approve security plans and to ensure facilities are continuing to fully implement the approved security measures.
CFATS Covered Facilities
The CFATS regulation applies to facilities across many industries—including chemical manufacturing, storage and distribution, energy and utilities, agriculture and food, explosives, mining, electronics, plastics, universities and laboratories, paint and coatings, healthcare, and pharmaceuticals.
CISA conducts two types of inspections to verify and ensure high-risk chemical facilities are implementing security measures listed in their SSP/ASP.
Authorization Inspection (AI)
After a facility submits either an SSP or an ASP for review, CISA inspectors conduct an AI at the facility to verify and validate that the content listed in their security plan is accurate and complete, and to assist the facility in resolving any potential gaps identified. In order for the SSP/ASP to be approved, the facility's existing and planned equipment, processes, and procedures must sufficiently meet the Risk-Based Performance Standards (RBPS).
Download a printer-friendly CFATS Authorization Inspection Fact Sheet.
Compliance Inspection (CI)
CISA inspectors conduct a CI to ensure that a facility continues to fully implement the existing and planned security measures described in the facility's approved security plan, and to sufficiently meet the RBPS; and that any required corrective actions have been implemented and are sustainable. In addition, a CI can be conducted to discuss issues raised by CISA after a review of the facility's case file.
Download a printer-friendly CFATS Compliance Inspection Fact Sheet.
Modified COVID-19 Compliance Operations
To minimize the possibility that personnel spread or became exposed to COVID-19, CISA postponed nearly all Authorization Inspections, Compliance Inspections, and other onsite visits between mid-March and May 2020.
In June 2020, CISA piloted several options for modified compliance operations to verify that high-risk facilities are maintaining the security measures in their security plans during this pandemic operational environment while also limiting in-person interactions between CISA inspectors and facility personnel. Based on the pilot, CISA is now conducting modified compliance operations and high-priority compliance assistance.
CISA inspectors will be in contact if your facility had an inspection postponed or has an upcoming inspection. If you have any questions, please contact your local CISA inspector or email CFATS@hq.dhs.gov.
Facilities Excluded from CFATS
Certain facilities are excluded from the CFATS regulations by statute if they are:
- Regulated by the Maritime Transportation Security Act (33 CFR Part 105). For facilities where only a portion of the facility is regulated under MTSA, and the facility possesses a threshold level of a COI in the portion of the facility not covered under MTSA, then the facility is only partially excluded and must complete a Top-Screen for the portion of the facility not subject to MTSA.
- A public water system, as defined in 42 U.S.C. § 300.
- A treatment works, as defined in 33 U.S.C. § 1292.
- Owned or operated by the Department of Defense or Department of Energy
- Subject to regulation by the Nuclear Regulatory Commission (NRC) (42 U.S.C. § 2021). The exclusion does not apply to NRC-licensed facilities that only have a few radioactive sources and for which NRC security requirements are not imposed. The scope of exclusion has been formalized in a memorandum of understanding between CISA and the NRC including waste in combined storm water and sanitary sewer systems.
An agricultural production facility that uses the COI on crops, feed, land, livestock, or poultry may also be granted an indefinite time extension from reporting COI to CISA. Read more in Federal Register Vol. 73, No. 6, page 1640.
To understand the agricultural extension, download a printer-friendly CFATS Agricultural Production Facilities Fact Sheet.
The Transportation Security Administration is the lead component within the Department of Homeland Security for regulating the security of transportation facilities such as railroads and natural gas pipelines. CISA does not currently require railroad facilities and truck terminals that possess COI at or above the STQ to complete a Top-Screen. See FAQs 1178 and 1789 on the CFATS Knowledge Center for more information.
The CFATS regulation does require the reporting of COI that meet or exceed the STQ and concentration found within any rail car that is detached from motive power. However, if the COI is attached to motive power, the COI does not need to be reported. The regulation requires the reporting of threshold quantities of theft/diversion and sabotage COI within any rail car at the facility, whether or not the rail car is attached or detached from motive power.
Covered chemical facilities with a pipeline within their boundaries must also identify the pipeline as an asset and address it, as appropriate, in the facility's Security Vulnerability Assessment/Site Security Plan.
Visit the CFATS Knowledge Center for an online repository of frequently asked questions, articles, and the latest CFATS program news.
For more information about the CFATS program, please contact CFATS@hq.dhs.gov.