Homeland Security’s Chemical Facility Anti-Terrorism Standard (CFAT)

On October 4, 2006, President George W. Bush signed Public Law 109295, the Chemical Facility Anti-Terrorism Standard, effective June 8, 2007, directing the Department of Homeland Security (DHS) to identify, assess and ensure effective security at high risk facilities that use, store, manufacture, or ship a listed regulated chemical under this law.

On November 20, 2007, the Department of Homeland Security (DHS) released the final version of the Chemical Facility Anti-Terrorism Standard’s “Appendix A” list of chemicals and their associated Screening Threshold Quantities (STQ).  Every company whose chemical inventory consists of one or more chemicals exceeding specified STQs had a deadline of JANUARY 22, 2008 to comply with the so-called “Top Screen Registration” requirement.

“Appendix A” further sub-divides chemicals into specific threat categories, namely Release Threat, Theft/Diversion Threat and Sabotage/Contamination Threat.  Thus, the list of 323 “Chemicals of Interest” (COIs) are arranged to be screened against specific security issues associated with each chemical, including:

  1. Release: Minimum Concentration (%); STQs in lbs.;
  2. Theft:  Minimum Concentration (%); STQs in lbs. unless otherwise noted;
  3. Sabotage: Minimum Concentration (%); STQs in lbs. unless otherwise noted;
  4. Release: Toxics
  5. Release: Flammables
  6. Release: Explosives
  7. Theft: Chemical Weapons/Chemical Weapon Precursors
  8. Theft: Weapons of Mass Effect
  9. Theft: Explosives/Improvised Explosive Device Precursors

Selected Chemicals Common to Industry

Acetylene, Anhydrous Ammonia, Ammonia (conc. 20% of greater), Ammonium Nitrate, Butane, Carbon Disulfide, Chlorine, Difluoroethane, Ethane, Ethylene Oxide, Hydrogen, Methane, Nitric Acid, Nitric Oxide, Various forms of Phosphorus, Prophylene Oxide, Various forms of Sulfur, Various forms of Toluene and many more.

Depending upon which sub-category and security issue each chemical falls into will depend upon how a facility will count its chemicals of interest toward the Screening Threshold Quantities listed.  There are many chemicals listed in which “Any Amount” whatsoever is the specified threshold. Selected facts regarding the final version of “Appendix A” are as follows:

  • Anti-Terrorism: Prevention & Protection
  • Container Security Initiative Ports
    • There are currently 48 foreign ports participating in CSI.
  • National Infrastructure Protection Plan
  • Chemical Security Assessment Tool (CSAT).  Note: CSAT is Homeland Security's system for collecting and analyzing key data from chemical facilities. CSAT is comprised of three secure, web-based tools:
    • Consequence screening questionnaire (Top-Screen);
    • Security Vulnerability Assessment (SVA) tool
    • Site Security Plan (SSP) template.

Any facility that manufactured, used, stored or distributed chemicals listed in “Appendix A: Chemicals of Interest” at or above the Screening Threshold Quantity (STQ), must complete and submit a CSAT Top-Screen.  The Department may also notify facilities – either directly or through a Federal Register notice – that they need to complete and submit a CSAT Top-Screen.  Initial CSAT Top-Screens were due within 60 calendar days of the effective date of the final "Appendix A: DHS Chemicals of Interest," or within 60 calendar days of coming into possession of any such Chemical of Interest at or above the STQ.

Failure to complete a CSAT Top-Screen within the timeframe provided may result in civil penalties of $25,000 per day, a Department of Homeland Security audit and inspection, or an order to cease operations.  DHS reports that it is committed to meeting the letter and spirit of CFATs to enhance and ensure the security of the Nation’s Industry where listed chemicals are used as a part of any given company’s operations, as the Nation’s companies represent the infrastructure for productivity and economic strength. 

323 Chemicals of Interest (COIs)

Chemicals of Interest (COI) now have “Minimum Concentrations” associated with each entry, listed in either a percent (%) form or with the acronym “ACG”, which stands for “A Commercial Grade”. Quoting from DHS, ACG refers to any quality or concentration of a COI offered for commercial sale that a facility uses, stores, manufactures or ships.

One note regarding the dissemination/use of any information regarded by DHS as Chemical-terrorism Vulnerability Information (CVI): Anyone who completes a Top-Screen registration or who has access to information used in completing a Top-Screen registration, persons with a "Need To Know", must complete on-line training and receive a unique Authorized User number from DHS before being allowed to access this information.  Some examples of CVI are:

  • Information developed pursuant to the Top-Screen process;
  • Site Vulnerability Assessments;
  • Site Security Plans;
  • Documents related to inspections and audits;
  • Records of training, exercises and drills;
  • Incidents and security breaches;
  • Maintenance, calibration and testing of security equipment; or
  • Other information designated as CVI by the Secretary of DHS.

Chemical Facility Employee Training & Recordkeeping

Per the Department of Homeland Security, here are selected training procedures applicable to facilities required to execute the Site Security Plan (SSP).

Training

  • Ensure proper security training, exercises and drills of facility personnel;
  • Perform appropriate background checks on and ensure appropriate credentials for facility personnel and as appropriate, for unescorted visitors with access to restricted areas or critical assets, including,
    • Measures designed to verify and validate identity;
    • Measures designed to check criminal history;
    • Measures designed to verify and validate legal authorization to work; and
    • Measures designed to identify people with terrorist ties;

Recordkeeping

The covered facility must keep records of the activities as set out below for at least three years and make them available to the Department upon request.  Recordkeeping must include:

  • For training, the date and location of each session, time of day and duration of session, a description of the training, the name and qualifications of the instructor, a clear, legible list of attendees to include the attendee signature, at least one other unique identifier of each attendee receiving the training and the results of any evaluation or testing.
  • For incidents and breaches of security, date and time of occurrence, location within the facility, a description of the incident or breach, the identity of the individual to whom it was reported and a description of the response;
  • Date and time of security threats, how the threat was communicated, who received or identified the threat, a description of the threat, to whom it was reported and a description of the response;
  • For audits, each audit of a covered facility's Site Security Plan or Security Vulnerability Assessment, a record of the audit, including the date of the audit, results of the audit, name(s) of the person(s) who conducted the audit, and certification stating the date the audit was conducted are required.
  • A covered facility must retain records of submitted Top-Screens, Security Vulnerability Assessments, Site Security Plans and all related correspondence with the Department for at least six years and make them available to the Department upon request.
  • For security purposes, the Department may request that a covered facility make available records kept pursuant to other Federal programs or regulations.
  • Records required by this section may be kept in electronic format. If kept in an electronic format, they must be protected against unauthorized access, deletion, destruction, amendment and disclosure.