CFATS Risk-Based Performance Standards (RBPS) 15-16 — Security Incidents
As of July 28, 2023, Congress has allowed the statutory authority for the Chemical Facility Anti-Terrorism Standards (CFATS) program (6 CFR Part 27) to expire.
Therefore, CISA cannot enforce compliance with the CFATS regulations at this time. This means that CISA will not require facilities to report their chemicals of interest or submit any information in CSAT, perform inspections, or provide CFATS compliance assistance, amongst other activities. CISA can no longer require facilities to implement their CFATS Site Security Plan or CFATS Alternative Security Program.
CISA encourages facilities to maintain security measures. CISA’s voluntary ChemLock resources are available on the ChemLock webpages.
If CFATS is reauthorized, CISA will follow up with facilities in the future. To reach us, please contact CFATS@hq.dhs.gov.
RBPS 15 — Reporting of Significant Security Incidents and RBPS 16 — Significant Security Incidents and Suspicious Activities complement each other and address the importance of developing protocols and procedures for promptly and adequately identifying, investigating, and reporting all significant security incidents and suspicious activities in or near the site to appropriate entities.
Chemical facilities covered under the Chemical Facility Anti-Terrorism Standards (CFATS) program should establish protocols governing the identifying and reporting of an incident to the appropriate facility personnel, as well as protocols determining whether the incident is "significant" and thus should be reported to appropriate facility personnel, local law enforcement, and/or the Cybersecurity and Infrastructure Security Agency (CISA).
CFATS: Cyber Reporting
Learn more about when and how high-risk CFATS facilities should report cyber incidents to CISA.
Security Measures for Incidents
The easiest way for a facility to prepare its employees to do their part is to clearly explain to them—and especially to security staff—how to identify, respond to, and report an incident or activity. Facilities should consider establishing protocols for:
- Reporting an incident up through the security chain of command of the facility and the company that owns or operates the facility.
- Defining what kinds of security incidents are "significant" and should be reported to CISA, other federal agencies, and/or state or local law enforcement and first responders.
The facility should have written procedures in its security plan (Site Security Plan [SSP] or Alternative Security Program [ASP]) or elsewhere, to ensure that qualified personnel conduct thorough investigations of significant security incidents and suspicious activities to determine the level of threat, any vulnerabilities that were exploited, and what security upgrades (if any) are warranted.
As part of a facility's Security Awareness and Training Program (SATP), employees should be trained on these protocols and lessons learned should be shared with appropriate facility personnel. (See RPBS 11 — Training or page 90 of the CFATS RBPS Guidance.)
Significant Security Incidents (Physical and Cyber)
Many events may be considered a security incident, including trespassing, vandalism, petty theft, cyberattacks, bomb threats, and armed attacks. It is generally within the facility's discretion to determine whether or not an incident is "significant" and thus should be reported to CISA and local law enforcement. Significant security incidents likely will include events that arise based on intentional threats that attempt to or successfully circumvent a security measure, such as:
- An intentional breach of the facility's restricted area or perimeter.
- An intentional act to forcefully or covertly bypass an access control point.
- The theft or diversion, or suspected theft or diversion, of a chemical of interest (COI).
- An onsite fire, explosion, release of a COI, or other incident requiring the attention of local first responders.
- Any incident with malicious intent to adversely affect critical cyber assets, including information technology (IT) equipment.
Suspicious activities could include a pattern of suspicious people or vehicles in or near the facility, photographing the facility, or other unusual activity indicating that an adversary may be probing or assessing the facility's security capabilities. This may also include suspicious orders of COI from unknown customers, customers who request cash payments, or delivery to unknown locations or businesses.
Reporting an Incident
If a significant security incident is detected while in progress, the facility should immediately call local law enforcement and emergency responders via 9-1-1. Similarly, if the event has concluded but an immediate response is still necessary, the facility should immediately call 9-1-1.
Once an incident has been detected and response measures in the facility's security plan have been initiated, the facility should use a nonemergency number to contact local first responders and other federal, state, and local law enforcement entities, as applicable.
Reporting an Incident to CISA
When contacting CISA Central, facilities should indicate they are "critical infrastructure" and fall within the Chemical Sector. Facilities should also include a description of the incident, indicate that they are regulated under CFATS, and include the facility identification number (i.e., FID) issued to them by CISA when they registered their facility in the Chemical Security Assessment Tool (CSAT).
CISA Central provides a critical infrastructure 24/7 watch-and-warning function and gives all critical infrastructure owners and operators a means to connect with and receive information from all CISA services.
Learn more about when and how high-risk CFATS facilities should report cyber incidents.