Chemical Facility Anti-Terrorism Standards (CFATS) Personnel Surety Program
As of July 28, 2023, Congress has allowed the statutory authority for the Chemical Facility Anti-Terrorism Standards (CFATS) program (6 CFR Part 27) to expire.
Therefore, CISA cannot enforce compliance with the CFATS regulations at this time. This means that CISA will not require facilities to report their chemicals of interest or submit any information in CSAT, perform inspections, or provide CFATS compliance assistance, amongst other activities. CISA can no longer require facilities to implement their CFATS Site Security Plan or CFATS Alternative Security Program.
CISA encourages facilities to maintain security measures. CISA’s voluntary ChemLock resources are available on the ChemLock webpages.
If CFATS is reauthorized, CISA will follow up with facilities in the future. To reach us, please contact CFATS@hq.dhs.gov.
Under the Chemical Facility Anti-Terrorism Standards (CFATS) program, all covered facilities must submit a security plan (Site Security Plan [SSP] or Alternative Security Program [ASP]) containing security measures that sufficiently meet all the Risk-Based Performance Standards (RBPS) for approval to the Cybersecurity and Infrastructure Security Agency (CISA).
RBPS 12 — Personnel Surety requires facilities to account for four types of background checks on facility personnel and unescorted visitors who have or seek access to restricted areas and critical assets at high-risk chemical facilities. These checks include measures designed to:
i) Verify and validate identity
ii) Check criminal history
iii) Verify and validate legal authorization to work
iv) Identify people with terrorist ties
Part iv—screening for terrorist ties—is implemented through the Personnel Surety Program (PSP). On July 9, 2019, CISA published a notice in the Federal Register (84 FR 32768) that announced the implementation of the PSP at all covered chemical facilities—including Tier 3 and Tier 4 facilities—closing the final gap in vetting individuals with access to critical assets and restricted areas for terrorist ties. High-risk chemical facilities that have an approved SSP/ASP but have not yet included measures to comply with RBPS 12(iv) will be notified by CISA in a phased manner of the need to update their security plans with measures to identify individuals for terrorist ties.
Preparing for RBPS 12(iv) through PSP
Comprehensive background checks that screen individuals for terrorist ties are a key aspect of chemical facility security that reduce the likelihood of insider threat with potential to cause significant harm. High-risk chemical facilities that have an approved SSP or ASP but have not yet included measures to comply with RBPS 12(iv) will be notified by CISA in a phased manner of the need to update their security plans with security measures to identify individuals for terrorist ties. Once a facility has been notified and their revised security plan is approved, the facility can then access the PSP Application in CSAT. Facilities can, however, proactively update their SSP or ASP with this information prior to notification.
On December 18, 2015, a notice was published in the Federal Register (80 FR 79058) to inform Tier 1 and Tier 2 high-risk chemical facilities that the Department would begin implementing the terrorist ties screening portion of RBPS 12 through the PSP. On July 9, 2019, a second notice was published in the Federal Register (84 FR 32768) to inform all high-risk chemical facilities that CISA would begin implementing the terrorist ties screening portion of RBPS 12 at all CFATS-covered facilities. The second notice provides:
- Statutory and regulatory history
- Four options available to facilities in order to comply with RBPS 12(iv)
- Program requirements and details
- Chemical Security Assessment Tool (CSAT) user roles and responsibilities
- Privacy considerations
Updating Security Plan to Comply with PSP
Facilities have four options to consider when implementing RBPS 12(iv). Facilities may also propose additional options of their own design as part of their security plan, and CISA will review and approve on a case-by-case basis.
High-risk chemical facilities can employ one of the four options to comply with RBPS 12(iv):
- Option 1 - Direct Vetting: High-risk chemical facilities (or their designees) may submit certain information about affected individuals through a PSP Application located in CSAT.
- Option 2 - Use of Vetting Conducted under Other Department of Homeland Security (DHS) Programs: High-risk chemical facilities (or their designees) may submit information (via the PSP Application in CSAT) about affected individuals possessing the appropriate credentials to enable CISA to electronically verify the affected individuals' enrollments in other DHS programs.
- Option 3 - Electronic Verification of Transportation Worker Identification Credential (TWIC®): High-risk chemical facilities (or their designees) can use access control solutions, like electronic TWIC® readers or Physical Access Control Systems, to verify the validity of existing credentials.
- Option 4 - Visual Verification: High-risk chemical facilities may identify individuals with terrorist ties using any federal screening program that periodically vets individuals against the Terrorist Screening Database (TSDB) if:
- The federal screening program issues a document or credential.
- The high-risk chemical facility is presented a credential or document by the affected individual.
- The high-risk chemical facility verifies the credential or document is current in accordance with its security plan.
- The Transportation Security Administration (TSA) and CISA strongly recommend electronic inspection of TWIC® cards; however, facilities are authorized under the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014 (6 U.S.C. §§ 621-29) to visually verify TWIC® cards to comply with RBPS 12(iv).
- Use the TWIC® Advanced Digital Visual Inspection Solution for Revocation (TWIC® ADVISR™) for Android™ and iOS devices. This mobile application is not a TWIC® card reader, but rather a downloadable application that uses the TWIC® Canceled Card List (CCL) to determine if a TWIC® card presented to the user is active or canceled.
- If not using TWIC® ADVISR™, facilities can visually check that the TWIC® has not been canceled against the CCL by visiting the Canceled Card Lists webpage and verifying that the Credential Identification Number (CIN) displayed on the back lower-left corner of the TWIC® is NOT listed on the CCL. The CCL list is updated every 24 hours. For more information on the CCL, please visit the TSA TWIC webpage.
Note: In December 2014, Congress noted in Section 2102(d)(2)(B)(ii) of the Protecting and Security Chemical Facilities from Terrorist Attacks Act of 2014, Pub. L. No. 113-254, that facilities choosing to meet RBPS 12(iv) via Option 4- Visual Verification should know that a visual inspection of credentials has inherent limitations and provides less security value than the other options available. Therefore, facilities should consider other means of verifying a credential's validity.
Facilities may use the PSP Sample Supplement in the PSP Toolkit assists facilities in determining whether measures they choose to comply with RBPS 12(iv) are sufficient. This document is a voluntary tool that, if used, can be tailored to your specific facility and needs.
Tips for Implementing PSP
Option 1 and Option 2 allow facilities to submit information about affected individuals directly to CISA through the CSAT for vetting. Several tips based on lessons learned may help your facility more efficiently implement RBPS 12(iv) at your facility.
An Authorizer, Administrator, or PSP Submitter can access the CSAT PSP Application through the PSP tab in the CSAT Portal after their facility has been approved to implement RBPS 12(iv). Types of users that could be assigned a PSP Submitter role by the Authorizer or an Administrator are:
- An employee of the facility.
- An employee or contractor of a corporation which owns the facility.
- A third-party contractor or service provider performing work on behalf of the facility.
Facilities have wide latitude in assigning CSAT user roles to align with their business operations or the business operations of third parties that provide contracted services to them and may have multiple PSP Submitters.
- Some facilities with centralized human resource (HR) offices may wish to consider an HR official to be a PSP Submitter in order to incorporate the PSP submission of affected individuals who are facility employees into the normal hiring processes. This structure allows a designee(s) of high-risk chemical facilities to submit information about affected individuals directly to CISA on behalf of high-risk chemical facilities.
- Some facilities may wish to consider an employee of the company who performs background check services to be the PSP Submitter in order to incorporate the PSP submission of affected individuals who are facility employees into the normal background check processes.
- Some facilities with multiple contracts that involve affected individuals may wish to consider identifying an employee in the contracted company to be the PSP Submitter in order to incorporate the PSP submission of affected individuals who are employees of the contract company.
Regardless of who submits information about affected individuals, CISA does not encourage the transmission of Personally Identifiable Information (PII) about affected individuals via email. CISA encourages Authorizers to establish user roles and groups (see below) so that information submitted about affected individuals under Option 1 or Option 2 is accomplished with minimal risk.
Bulk Upload vs. Individual Input
Facilities with few affected individuals may choose to input names individually into the CSAT PSP Application; however, those with a large number of affected individuals may choose to take advantage of the bulk upload feature.
- The Bulk Upload capability may process up to 10,000 records about affected individuals at a time.
- Bulk Upload files can be input in either an .xls or .xlsx file—a Sample Bulk Upload template in the PSP Toolkit is provided through the application. Every affected individual record submitted through the Bulk Upload process must contain data in the required fields (see page 13 of the PSP Instructions Manual). Data validation by the PSP Application will help the PSP Submitter identify any data entry mistakes.
An Authorizer or user that has been assigned an Administrator role may create and manage groups to efficiently view or edit affected individuals' records.
- Groups allow facilities to implement reasonable privacy limitations by limiting the ability of PSP Submitters.
- PSP Submitters may be assigned to a group and thus may only view or edit those records within the Group to which the Authorizer assigns them.
- PSP Submitters may only be assigned to one group by an Authorizer.
- Groups can organize records about affected individuals by facility location, contracting company, or other delineation based on the facility's business processes or practices.
User Defined Field (or Unique Identifier)
The PSP Application (which is organized under the Authorizer) gives the Authorizer the option to create a user-defined unique identifier field—such as employee identification number, the primary work location, facility badge ID number, contract number, or the individual's role—that can be used to more easily filter and sort information. This may be especially helpful for larger organizations or organizations with multiple facilities. This optional field may assist the facility in managing the records it submits align with their business processes or practices.
Visit the CFATS Knowledge Center for an online repository of frequently asked questions, articles, and the latest CFATS program news.
If you have additional questions, please call the CSAT Help Desk at 866-323-2957 Monday through Friday (except federal holidays) from 8:30 a.m. to 5 p.m. (ET) or email CSAT@hq.dhs.gov.