Chemical Security Assessment Tool (CSAT) Site Security Plan (SSP) Revisions
As of July 28, 2023, Congress has allowed the statutory authority for the Chemical Facility Anti-Terrorism Standards (CFATS) program (6 CFR Part 27) to expire.
Therefore, CISA cannot enforce compliance with the CFATS regulations at this time. This means that CISA will not require facilities to report their chemicals of interest or submit any information in CSAT, perform inspections, or provide CFATS compliance assistance, amongst other activities. CISA can no longer require facilities to implement their CFATS Site Security Plan or CFATS Alternative Security Program.
CISA encourages facilities to maintain security measures. CISA’s voluntary ChemLock resources are available on the ChemLock webpages.
If CFATS is reauthorized, CISA will follow up with facilities in the future. To reach us, please contact CFATS@hq.dhs.gov.
With the release of the Chemical Security Assessment Tool (CSAT) 2.0 and the enhanced tiering methodology, all chemical facilities of interest and covered chemical facilities were required to submit a new Top-Screen.
After completing the new Top-Screen in CSAT 2.0, facilities may receive a new tier. Facilities that receive a new tier or a revised tiering (e.g., a newly tiered chemicals of interest (COI) or new security concern) must submit a new or revised Security Vulnerability Assessment (SVA) and Site Security Plan (SSP) if either:
- The facility was previously not tiered and receives a tiering letter indicating it is now a tier 1, 2, 3, or 4 facility, or
- The facility's security posture in its current SVA and SSP does not address all of the tiered COI and security concerns at the new tier levels.
Although CSAT 2.0 drastically reduces the number of overall questions, the tool includes some new questions and sections, which are outlined below to help facilities that fall into categories 1 and 2 above revise their surveys in an effective and efficient manner.
For facilities that previously submitted the SVA and SSP, the majority of their previously submitted information will be prepopulated into the new survey.
The new questions listed below will be blank when a facility first opens the SSP. Facilities can quickly jump to these questions by selecting the "Validate and Submit" button on the left-hand navigation tool. This button will identify all unanswered questions and will allow the facility to jump straight to the new questions.
Facilities that were previously granted an indefinite extension, are statutorily excluded, or no longer have holdings of COI will not be required to resubmit a Top-Screen.
Security Vulnerability Assessment
When revising the SSP for the first time in CSAT 2.0, all facilities will be required to answer a few new SVA questions. These include:
- Reviewing the currently tiered COI and voluntarily adding any non-tiered COI.
- Identifying the methods of use of the COI (i.e., manufacture, ship, sell, and/or receive).
- Identifying critical assets and associating COI to each asset.
- Identifying detection measures and vulnerabilities in detection capability.
- Identifying delay measures and vulnerabilities in delay capability.
- Identifying response measures and vulnerabilities in response capability.
- Identifying cybersecurity measures and vulnerabilities in cybersecurity.
- Identifying policies, procedures, and resources and vulnerabilities in the ability to manage the security posture.
After completing the SVA, facilities that have chosen to submit an Alternative Security Program (ASP) or Expedited Approval Program (EAP) will receive the option to select ASP or EAP and have the ability to upload their documents.
When answering many of the questions in the detection portion of the SSP, facilities will be asked to select whether the measure applies to the perimeter and/or to critical assets. This section is in lieu of the previous SSP assets section. Based on the identified critical assets from the new SVA, facilities should revisit the following questions to correctly identify the location(s) to which the measure applies:
- Q3.10.070 Mobile Patrols
- Q3.10.120 Intrusion Detection Systems
- Q3.10.180 through Q3.10.230 Intrusion Detection Sensors
- Q3.10.290 and Q3.10.310 Closed-Circuit Television (CCTV)
In addition, below are some new questions that facilities will need to address:
- Q3.10.050 Personnel Presence. (This question allows the user to more clearly define the hours of operation for the facility and replaces the previous SSP questions on work shifts.)
- Q3.10.400 through Q3.10.420 Inventory Controls. (These questions allow the facility to better define and quantify the frequency of their chemical inventory program.)
When answering many of the questions in the delay portion of the SSP, facilities will be asked to select whether the measure applies to the perimeter and/or to critical assets. This section is in lieu of the previous SSP assets section. Based on the identified critical assets from the new SVA, facilities should revisit the following questions to correctly identify the location(s) to which the measure applies:
- Q3.20.030 through Q3.20.160 Perimeter Security. (These questions include measures such as fences, gates, walls, doors, and locks.)
- Q3.20.430 and Q3.20.440 Access Control Systems.
- Q3.20.560 Anti-Vehicle Measures.
This section of the SSP does not contain any new or changed questions.
To better understand a facility's cybersecurity posture, CSAT 2.0 includes a new section (Q3.40.400 through Q3.40.430) that requires facilities to identify and describe cyber control and business systems.
SSP Security Management
In order to more clearly identify the population of individuals that require background checks under Risk-Based Performance Standard (RBPS) 12, CSAT 2.0 includes a new question (Q3.50.320 Types of Affected Individuals) that requires facilities to define their affected individuals.
In addition, Tier 1 and 2 facilities, Tier 3 and 4 facilities that have received notification from CISA, and Tier 3 and 4 facilities that have opened their SSP will also see questions that address RBPS 12(iv). Several questions (Q3.50.330 through Q3.50.550) allow facilities to identify the options chosen and measures used to implement those options for compliance with RBPS 12(iv).
Finally, CSAT 2.0 includes a new question (Q3.50.710) that is an affirmation of compliance with recordkeeping requirements under 6 CFR 27.255. This question replaces fifteen questions in the previous survey.
Visit the CFATS Knowledge Center for an online repository of frequently asked questions, articles, and the latest CFATS program news.
If you have additional questions, please call the CSAT Help Desk at 866-323-2957 Monday through Friday (except federal holidays) from 8:30 a.m. to 5 p.m. (ET).