Chemical Security is a developing subject area that gained traction with the passage of the Homeland Security Appropriations Act of 2007, which authorized the Department of Homeland Security (DHS) to regulate the security of chemicals deemed to be of interest to terrorists. The Chemical Facility Anti-Terrorism Standards (CFATS) were developed as a result, and CFATS security requirements now apply to over 300 chemicals handled by a wide range of facilities within the US. In my opinion, CFATS is miss-named, because many of the facilities that we assist with CFATS compliance do not think of themselves as a “chemical facility.” They are pulp and paper plants, food production facilities, universities, high rise buildings (with large air conditioners), metallurgical manufacturers, natural gas fractionation plants, and mines, in addition to other more traditional chemical facilities, such as refineries and chemical blending and packaging plants.
In the fall of 2016, DHS revamped its online Chemical Security Assessment Tool (CSAT) which captures chemical security related information from over 38,000 facilities nationwide. Approximately 10% of these facilities have historically been regulated by DHS through their security focused Risk Based Performance Standards. DHS now expects all facilities that previously submitted their information into CSAT (from 2008 through 2016), to re-submit using their new online tool CSAT 2.0. In fact DHS has been sending notices through their databases to these 38,000 facilities on a rolling-basis since early spring and will continue sending these notices into early 2018. Additionally, DHS is coordinating their database with both the USEPA and OSHA databases to identify and notify other potential industrial and commercial facilities which may be subject to CFATS, but had not previously submitted their facility information to DHS.
In July 2017, DHS indicated that they expect the new system and its threat analysis will capture another 1,000 facilities fully into the CFATS program, with requirements for a combined Security Vulnerability Assessment/Site Security Plan, which DHS inspectors can enforce. Our experience shows facilities not previously captured by CFATS are now being regulated by the program. Depending on the facility’s assigned CFATS Tier and its existing security procedure, many facilities must account for new security protocols, training and equipment to properly secure the specific chemicals of interest.
The Good News?
While initially a burden, many of the facilities we helped achieve CFATS compliance 6, 7, or 8 years ago, have now come to accept and even embrace the additional security protocols as good business practices that help them in other areas of their operations. One client recently told me they are so comfortable with CFATS now (compared to 2008 when they were in shock) they felt confident enough to teach CFATS compliance to other facilities. That made me feel like we did a good job in getting them prepared.
In the coming weeks, our team will be sharing additional insights on many issues associated with CFATS compliance and the solutions clients will need to be focused on. We’ll cover topics including the link between RMP/PSM and CFATS, cyber security issues, planning for release scenarios, and theft and diversion scenarios. Please stay tuned!