Chemical Facility Anti-Terrorism Standards (CFATS) Process
As of July 28, 2023, Congress has allowed the statutory authority for the Chemical Facility Anti-Terrorism Standards (CFATS) program (6 CFR Part 27) to expire.
Therefore, CISA cannot enforce compliance with the CFATS regulations at this time. This means that CISA will not require facilities to report their chemicals of interest or submit any information in CSAT, perform inspections, or provide CFATS compliance assistance, amongst other activities. CISA can no longer require facilities to implement their CFATS Site Security Plan or CFATS Alternative Security Program.
CISA encourages facilities to maintain security measures. CISA’s voluntary ChemLock resources are available on the ChemLock webpages.
If CFATS is reauthorized, CISA will follow up with facilities in the future. To reach us, please contact CFATS@hq.dhs.gov.
The Chemical Facility Anti-Terrorism Standards (CFATS) regulation (6 CFR Part 27) applies to any facility—from an individual to an establishment—that possesses any chemical of interest (COI) at or above the screening threshold quantity (STQ) and concentration listed in Appendix A.
Before beginning the CFATS process, check the statutory exclusions.
If your facility is not statutorily excluded and possesses any Appendix A COI at or above STQ and concentration, you must report your chemical holdings to the Cybersecurity and Infrastructure Security Agency (CISA) through a Top-Screen. The purpose of CFATS is to ensure that any facility identified by CISA as high-risk following its submission of a Top-Screen has sufficient security measures in place to reduce the risks associated with its COI.
CFATS Process Video
The CFATS Process (YouTube video) describes the process for complying with the CFATS regulation for facilities that possess COI.
Chemical-Terrorism Vulnerability Information (CVI)
Only CVI-certified individuals can access the CFATS-related applications in the Chemical Security Assessment Tool (CSAT). CVI ensures that information provided to CISA will be protected from public disclosure or misuse. Accordingly, CISA requires individuals in possession of CVI to safeguard it with equal care.
Register Your Facility for CSAT Access
The Chemical Security Assessment Tool (CSAT) is a secure, online portal that helps facilities maneuver through the CFATS process. The portal houses the CFATS-related applications.
After registering your facility, CISA will email you a user identification and password to access CSAT. Review the CSAT Portal and Survey Application User Manuals.
Submit a Top-Screen and Receive a Risk Determination
The Top-Screen is a survey that starts the reporting process. All facilities have 60 days from the time they come into possession of COI to submit a Top-Screen. CISA reviews your Top-Screen using a risk-based methodology to determine if your facility is "high-risk." If you are deemed "high-risk," you will receive a Tier of 1, 2, 3, or 4, with Tier 1 being the highest risk.
Complete an Assessment and Submit a Security Plan
Tiered facilities must submit a Security Vulnerability Assessment (SVA) and a Site Security Plan (SSP) or an Alternative Security Plan (ASP) that meet the CFATS Risk-Based Performance Standards (RBPS). Tier 3 and 4 facilities also have the option to submit an Expedited Approval Program (EAP) SSP in lieu of an SSP or ASP.
The CFATS RBPS Guidance assists high-risk chemical facilities in selecting security measures and activities—perimeter security, access control, personnel security, cyber security, and more—that are tailored to the tier level and unique considerations of the facility.
Login to CSAT to submit an SVA and an SSP/ASP.
The CSAT SVA/SSP Instructions provide a question-by-question walk through of the SVA and SSP/ASP surveys.
Authorization and Authorization Inspection (AI)
Upon receipt of an SSP or ASP from your facility (but not an EAP SSP), CISA will review the documentation and make an initial determination as to whether it satisfies the requirements of the CFATS regulation. If CISA finds that the requirements are satisfied, your facility will receive a Letter of Authorization.
A CISA Chemical Security Inspector will then be in contact to schedule an Authorization Inspection (AI). The AI will verify the content listed in the security plan is accurate and that existing and planned measures satisfy the RBPS requirements.
Note: If the SSP/ASP does not meet RBPS requirements, your facility must address the deficiencies and resubmit the SSP/ASP by the specified date.
If CISA approves the SSP/ASP, your facility will receive a Letter of Approval and enter into the compliance cycle.
EAP SSP Acceptance
Tier 3 and 4 facilities also have the option of submitting an EAP SSP in lieu of an SSP or ASP. Your submission will be accepted if it is not found to be facially deficient. If accepted, your facility will not undergo the authorization process. Instead, your facility will immediately enter into the compliance cycle.
CISA Inspectors will conduct reoccurring Compliance Inspections (CIs) to ensure your facility continues to fully implement the approved security measures.
If you have technical questions regarding CSAT, please call the CSAT Help Desk at 866-323-2957 Monday through Friday (except federal holidays) from 8:30 a.m. to 5 p.m. (ET).
For more information regarding the CFATS program, please contact CFATS@hq.dhs.gov.