Disclosing CVI by Facilities to State, Local, and Tribal Agencies

CFATS Announcement

As of July 28, 2023, Congress has allowed the statutory authority for the Chemical Facility Anti-Terrorism Standards (CFATS) program (6 CFR Part 27) to expire.

Therefore, CISA cannot enforce compliance with the CFATS regulations at this time. This means that CISA will not require facilities to report their chemicals of interest or submit any information in CSAT, perform inspections, or provide CFATS compliance assistance, amongst other activities. CISA can no longer require facilities to implement their CFATS Site Security Plan or CFATS Alternative Security Program.

CISA encourages facilities to maintain security measures. CISA’s voluntary ChemLock resources are available on the ChemLock webpages.

If CFATS is reauthorized, CISA will follow up with facilities in the future. To reach us, please contact CFATS@hq.dhs.gov.

Facilities may disclose Chemical-terrorism Vulnerability Information (CVI) to officials in state, local, and tribal agencies (e.g., local county emergency managers and local police officials) who are CVI Authorized Users and have a need to know.

CVI Authorized User Training

The determination that a state, local, or tribal official is a CVI Authorized User and has a need to know will be made by the CISA Chemical Security Inspector assigned to the area in which the facility is located. The Inspector will provide the public official with documentation of that determination.

After being allowed access to CVI, the facility and public official should discuss (1) which CVI documents, or portions of CVI documents, the official needs to execute his responsibilities, and (2) how the facility should disclose those documents (e.g., providing the official a copy of the document or arranging an onsite review).

Notification and Tracking of Disclosures

When a facility properly discloses CVI to a public official, the facility does not need to notify CISA of the disclosure. CISA encourages both the public official and agency to maintain a CVI Tracking Log. See Appendix D of the CVI Procedural Manual.

All government agencies should also consider:

  1. Appointing a CVI Point of Contact (POC) to provide oversight and assistance to individuals within the agency.
  2. Implementing procedures to ensure that CVI is used, handled, safeguarded, and disclosed appropriately.
  3. Establishing a self-inspection program to include periodic review and assessment of the handling, use, and storage of CVI.

Contact Information

If you have questions or need the contact info for your local CISA Chemical Security Inspector (CSI), call the Chemical Security Assessment Tool (CSAT) Help Desk at 866-323-2957 Monday through Friday (except federal holidays) from 8:30 a.m. to 5 p.m. (ET) or email CSAT@hq.dhs.gov.