Chemical Security Assessment Tool (CSAT) Security Vulnerability Assessment (SVA) and Site Security Plan (SSP)
As of July 28, 2023, Congress has allowed the statutory authority for the Chemical Facility Anti-Terrorism Standards (CFATS) program (6 CFR Part 27) to expire.
Therefore, CISA cannot enforce compliance with the CFATS regulations at this time. This means that CISA will not require facilities to report their chemicals of interest or submit any information in CSAT, perform inspections, or provide CFATS compliance assistance, amongst other activities. CISA can no longer require facilities to implement their CFATS Site Security Plan or CFATS Alternative Security Program.
CISA encourages facilities to maintain security measures. CISA’s voluntary ChemLock resources are available on the ChemLock webpages.
If CFATS is reauthorized, CISA will follow up with facilities in the future. To reach us, please contact CFATS@hq.dhs.gov.
Following the review of a facility's Top-Screen submission, the Cybersecurity and Infrastructure Security Agency (CISA) will notify the facility if it is considered to be high-risk and covered under CFATS, and assigned to Tier 1, 2, 3, or 4, with Tier 1 representing the highest risk.
All covered chemical facilities are required to submit a Security Vulnerability Assessment (SVA) and one of two types of security plans—Site Security Plan (SSP) or the Alternative Security Program (ASP)—through the Chemical Security Assessment Tool (CSAT) for CISA approval.
The facility's SVA and SSP due dates run in parallel: both must be submitted within 120 days from the date of written notification from CISA. Tier 1-4 facilities may submit an ASP in lieu of an SSP.
The CSAT 2.0 SVA/SSP Instructions provide a question-by-question walkthrough of the SVA and SSP surveys.
Security Vulnerability Assessment (SVA)
All covered chemical facilities are required to complete an SVA via CSAT to identify the facility's use of chemicals of interest (COI), critical assets, and measures related to the facility's policies, procedures, and resources that are necessary to support the facility's security plan.
The SVA provides an analysis of the facility's security posture and potential vulnerabilities which may include incomplete documentation, lack of training, or insufficient resources.
What Is a Critical Asset?
A critical asset is an asset whose theft, diversion, loss, damage, disruption, or degradation would result in a significant adverse impact to human life, national security, or a critical economic asset.
Assets include but are not limited to:
- Physical security infrastructure, activities, procedures, personnel, or measures that comprise all or part of the facility's system for managing security risks.
- Physical safety infrastructure, activities, procedures, personnel, or measures that comprise all or part of the facility's system for managing process safety and emergency response measures.
- Cyber systems involved in the management of processes, process safety, security, product or material stewardship, or business management and control.
- Vessels, process equipment, piping, transport vessels, or any container or equipment used in the processing or holding of chemicals.
- On-site and off-site response protocols.
- Warehouses, vaults, storage bays, and similar infrastructure.
- Specially trained, qualified personnel who are engaged in the management of security and safety risks.
Site Security Plan (SSP)
Along with the SVA, all covered chemical facilities are required to submit an SSP—a CSAT-generated, easy-to-use online questionnaire that allows a facility to describe existing or planned security measures tailored to the risk level (i.e., Tier 1, Tier 2, Tier 3, or Tier 4) and unique considerations of the facility.
An SSP must meet the CFATS Risk-Based Performance Standards (RBPS). The CFATS RBPS Guidance assists high-risk chemical facilities in selecting security measures and activities, such as perimeter security, access control, personnel security, cybersecurity, and more.
Alternative Security Program (ASP)
All covered chemical facilities have the option of submitting an ASP in place of the SSP. The ASP allows a facility to develop its own template document for addressing CFATS requirements. An ASP must describe how the facility's security measures will meet or exceed each applicable RBPS and should appropriately address the tier and security concerns of the facility.
Visit the CFATS Knowledge Center for an online repository of frequently asked questions, articles, and the latest CFATS program news.
If you have additional questions, please call the CSAT Help Desk at 866-323-2957 Monday through Friday (except federal holidays) from 8:30 a.m. to 5 p.m. (ET).