Chemical Facility Anti-Terrorism Standards (CFATS) Expedited Approval Program (EAP)
The Chemical Facility Anti-Terrorism Standards (CFATS) Expedited Approval Program (EAP) is an optional process that Tier 3 and Tier 4 high-risk chemical facilities can choose to submit their Site Security Plan (SSP) for approval from CISA to bypass the pre-approval authorization and Authorization Inspection step in the CFATS process. Facilities with an approved EAP SSP enter directly into the CFATS regulatory cycle.
The Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014 ("CFATS Act of 2014"), Public Law 113-254 (6 U.S.C. § 621, et seq.), established the Expedited Approval Program (EAP), and directed the Department of Homeland Security (DHS) to issue prescriptive guidance that "identifies specific security measures that are sufficient to meet the risk-based performance standards" for facilities that choose to submit an SSP pursuant to the EAP. See 6 U.S.C § 622(c)(4)(B)(i).
Along with the EAP SSP, the facility must submit a certification (see below) that certifies the owner or operator has visited, examined, documented, and verified that the facility meets the criteria in the SSP. See 6 U.S.C. § 622(c)(4)(C).
DHS Guidance for EAP
The DHS Guidance for the Expedited Approval Program provides Tier 3 and Tier 4 covered chemical facilities with a better understanding of security measures that could be used to meet the Risk-Based Performance Standards (RBPS), and helps identify and select processes, measures, and activities they may choose to implement in order to secure and monitor their facilities. The prescriptive measures contained in the Guidance are intended to apply specifically to facilities that elect to participate in the EAP.
Note: The security posture of facilities submitting a security plan (SSP or Alternative Security Program [ASP]) through the regular, nonprescriptive CFATS process will continue to be evaluated against the RBPS in a holistic fashion.
Certification Under Penalty of Perjury
The certification is a document that is signed under penalty of perjury by the owner or operator of an expedited approval facility and submitted with the EAP SSP that certifies compliance with all of the requirements contained in 6 U.S.C. § 622(c)(4)(C).
Participation in the EAP
A facility that elects to submit an SSP under the EAP must notify CISA of its intention to do so at least 30 days prior to submitting the SSP and certification via the Agency's Chemical Security Assessment Tool (CSAT), or via a letter sent to:
Chemical Security, Associate Director
CISA — CHR STOP 0609
Cybersecurity and Infrastructure Security Agency
1310 N. Courthouse Rd.
Arlington, VA 20598-0609
All Tier 3 and Tier 4 facilities that choose to use the EAP to submit an SSP must include security measures that cover all of the RBPS. The security measures within the EAP SSP must either be existing security measures or planned measures with a clear timeline for implementation not to exceed twelve (12) months from date of the approval. See 6 U.S.C. § 622(c)(4)(C)(v).
If a facility uses a security measure that materially deviates from a measure specified in the Guidance, then the facility's SSP must identify the deviation for the specific security measure and explain how the new measure meets the relevant RBPS. See 6 U.S.C. § 622(c)(4)(B)(ii).
Visit the CFATS Knowledge Center for an online repository of FAQs, articles, and the latest news on the CFATS program.
For further questions about the EAP, please contact CFATS@hq.dhs.gov.