Chemical Facility Anti-Terrorism Standards (CFATS) Monthly Statistics
As of July 28, 2023, Congress has allowed the statutory authority for the Chemical Facility Anti-Terrorism Standards (CFATS) program (6 CFR Part 27) to expire.
Therefore, CISA cannot enforce compliance with the CFATS regulations at this time. This means that CISA will not require facilities to report their chemicals of interest or submit any information in CSAT, perform inspections, or provide CFATS compliance assistance, amongst other activities. CISA can no longer require facilities to implement their CFATS Site Security Plan or CFATS Alternative Security Program.
CISA encourages facilities to maintain security measures. CISA’s voluntary ChemLock resources are available on the ChemLock webpages.
If CFATS is reauthorized, CISA will follow up with facilities in the future. To reach us, please contact CFATS@hq.dhs.gov.
These metrics show the maturation and growth of the Chemical Facility Anti-Terrorism Standards (CFATS) program (6 CFR Part 27). Metrics under "Since Inception" include facilities that were tiered when the activity occurred but were subsequently determined to no longer be high-risk. Typical reasons for a change in high-risk status include removal of chemicals of interest (COI), reduction of the quantity of COI onsite, replacement of the COI with a lower concentration COI, and facility sale or closure.
Note: The CFATS regulatory program is cyclical in nature, meaning activities such as Compliance Inspections (CIs) are recurring. The Cybersecurity and Infrastructure Security Agency (CISA) began conducting recurring CIs in March 2017.
To date, CISA has received more than 108,000 Top-Screen submissions from more than 45,000 unique facilities. Of these, CFATS currently covers 3,242 facilities. These high-risk facilities are divided into four tiers, with Tier 1 facilities posing the highest security risk. Learn more about the CFATS Process.
Authorization Inspections (AIs)
Compliance Inspections (CIs)
Compliance Assistance Visit (CAVs)
Note: If an activity is canceled, it will be removed from the system. This may lead to a small change in the monthly numbers.
CFATS Facility Status
Approved Facilities: This metric shows the number of facilities that are currently approved. Once a facility's security plan (Site Security Plan [SSP] or Alternative Security Program [ASP]) is approved and a Letter of Approval is issued, the facility enters into a regulatory cycle of CIs.
Authorized Facilities: This metric shows the number of facilities that are currently authorized. Once a facility has submitted their security plan (SSP or ASP), a Letter of Authorization will be issued if the security measures appear to satisfy the applicable established risk-based performance standards (RBPS) requirements.
Authorization Inspections (AIs): This metric shows the number of Authorization Inspections completed. Once a Letter of Authorization is issued, an AI is conducted at facilities to verify and validate that the content listed in the facility's SSP or ASP is accurate and complete, and that existing and planned equipment, processes, and procedures are appropriate and sufficient to meet the RBPS specified in the CFATS regulation. This inspection occurs prior to the final approval of the facility's SSP or ASP.
Compliance Assistance Visits (CAVs): This metric shows the number of Compliance Assistance Visits completed. CAVs provide CFATS-covered facilities and facilities of interest an in-depth knowledge of how to meet CFATS requirements, such as determining COI reporting requirements, submitting or resubmitting a Top-Screen, developing an SSP or ASP, editing an SSP based on a change in security posture or tiering, or assistance in complying with any other part of the regulation. Compliance assistance also includes interactions and compliance assistance communications between CISA and high-risk facilities that occurred between March and May 2020 during the height of the COVID-19 pandemic in which no visit was actually made.
Compliance Audits: This metric shows the number of Compliance Audits conducted. During a Compliance Audit, CISA inspectors remotely review and then lead a discussion with facility personnel on records and documentation related to the facility's COI and the security measures described in the facility's security plan.
Compliance Inspections (CIs): This metric shows the number of Compliance Inspections completed. A CI is conducted after a Letter of Approval has been issued. It is part of the recurring inspection process to ensure the covered facility continues to implement its approved SSP or ASP, and that existing and planned security measures are appropriate and sufficient to meet the RBPS. CIs will typically occur every one to two years, or as needed.
Tiered Facilities: Once a facility has submitted a Top-Screen, CISA uses a risk-based tiering methodology to determine if the facility is high-risk. This metric shows the number of high-risk facilities that are currently tiered and are pending Authorizations and Approval.