CHEMICAL FACILITY ANTI-TERRORISM STANDARDS (CFATS)Richard Cummins 9 August, 2019 Activities at CFATS...
Transcript of CHEMICAL FACILITY ANTI-TERRORISM STANDARDS (CFATS)Richard Cummins 9 August, 2019 Activities at CFATS...
Richard Cummins 9 August, 2019
C I S A | C Y B E R S E C U R I T Y A N D I N F R A S T R U C T U R E S E C U R I T Y A G E N C Y
CHEMICAL FACILITY ANTI-TERRORISM STANDARDS
(CFATS)
1
VA(1
Slide 1
VA(1 To edit name and date click "View" in the top tool bar > click "Slide Master" > select FIRST slide in the left tumbnails section > edit text box on the bottom of the slide with name and date > select THIRD slide from the top in the left tumbnails section > edit text box on the bottom of the slide with name and date > click "Close Master View" under the "View" tabVeyisoglu, Ahmet (CTR), 1/2/2019
Richard Cummins 9 August, 2019
Why Chemical Facility Security?
2
We face a persistent and evolving threat
A successful attack on a chemical facility could potentially cause a significant number of deaths and injuries
Certain chemical facilities possess materials that could be stolen or diverted and used for terrorist activities
Subway Bombings –London
Ammonium Nitrate – Texas
Chlorine-Tinged Smoke from Detonated Bomb – Iraq Police Block Scene of Attack – France
Richard Cummins 9 August, 2019
Ensuring Chemical Facility Security
3
Statutory Authority
In December 2006, Congress authorized DHS to regulate security at “high-risk” chemical facilities
The Department developed the Chemical Facility Anti-Terrorism Standards (CFATS), 6 CFR Part 27, to implement this authority
In December 2014, Congress extended the Department’s authority through the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014 - 6 U.S. Code Chapter 1, Subchapter XVI: Chemical Facility Anti-Terrorism Standards (CFATS)
In January 2019, CFATS received a 15-month extension to its current authorization
Richard Cummins 9 August, 2019
The CISA Structure
4
In 2018 Congress passed the Cybersecurity and Infrastructure Security Agency Act. Previously known as National Protection and Programs Directorate, CISA seeks to defend our Nation against the digital, physical, manmade, technological, and natural threats that we face.
Infrastructure Security Compliance Division (ISCD) administers the Chemical Facility Anti-Terrorism Standards (CFATS) Program and the Ammonium Nitrate Security Program (ANSP)
Infrastructure Security Division (ISD)
IICD NICC ISCD PSCD SOPD
Cybersecurity and Infrastructure Security Agency (CISA)Cybersecurity Division
Emergency Communications DivisionInfrastructure Division
National Risk Management Center
Federal Protective Service
Richard Cummins 9 August, 2019
The CFATS Regulation
5
The CFATS program identifies and regulates high-risk chemical facilities to ensure they implement appropriate security measures to reduce the risk of a terrorist attack associated with more than 300 chemicals of interest (COI). If held in specified quantities and concentrations, these chemicals must be reported to DHS. Facilities that store, manufacture, or distribute COI at or above screening threshold quantities (STQ) are required to comply with the CFATS standards.
CFATS follows a risk-based approach, allowing DHS to focus on high-risk chemical facilities in accordance with their specific level of risk
Richard Cummins 9 August, 2019
CFATS UniverseIdentifying high-risk chemical facilities
6
“Appendix A” – a list of 300+ chemicals of interest (COI) at specific threshold quantities and concentrations that require reporting to the Department
Correctional Facilities
Hospitals and Clinics
Wineries
Chemical Facilities Come in All Shapes and Sizes
Chemical Manufacturing Oil Refineries Food Processing Wineries Colleges and
UniversitiesFarm
Cooperatives
Richard Cummins 9 August, 2019
Industries with Facilities Regulated by CFATS
CFATS regulates facilities in various industries, including:
7
Academia (College & Universities) Aerial Sprayers (Non-Fertilizer) Breweries Cold Chain/Refrigeration Energy Utilities Fisheries and Hatcheries Food Processors and Co-Ops Healthcare (Hospitals & Providers) Laboratories
Metal Service and Metal Merchants Mining Motor Vehicle Parts Manufacturing Paints/Coatings Petrochemical Manufacturing Petroleum Refining/Oil Drilling Plastics Pulp and Paper Race Tracks Retail Storage and Distribution Semiconductors Water Parks, Pools, and Filtration Wineries
AN
H202
CI
NH3
Richard Cummins 9 August, 2019
Am I Exempt?
8
• Facilities regulated by the Nuclear Regulatory Commission• Facilities owned by the Departments of Defense or Energy• Public water systems and water treatment works regulated
under certain Federal water quality laws• Facilities regulated under the Maritime Transportation
Security Act
Statutory Exemptions
• In January 2008, DHS indefinitely extended the Top-Screen due date for agricultural production facilities
Agricultural Production Facilities
Richard Cummins 9 August, 2019
Am I Exempt?
9
• In January 2008, DHS indefinitely extended the Top-Screen due date for agricultural production facilities.
• “Until further notice, or unless otherwise specifically notified in writing by DHS,
• the Top-Screen registration (the first tier of regulation) will not be required for any facility that is required to register solely because it possesses any Chemical of Interest, at or above the applicable screening threshold quantity, for use--
NOT NECESSARILY!!
Richard Cummins 9 August, 2019
Am I Exempt?
10
• (a) in preparation for the treatment of crops, feed, land, livestock (including poultry) or other areas of an agricultural production facility; or
• (b) during application to or treatment of crops, feed, land, livestock (including poultry) or other areas of an agricultural production facility;
NOT NECESSARILY!!
Richard Cummins 9 August, 2019
Am I Exempt?
11
The Stay applies to long-term/permanent, STQchemicals stored on-farm for on-going and/or futureapplication. Agricultural production operations do notneed to complete the Top Screen for storage ofpesticides, fumigants and fertilizers for application,preparation and treatment in any STQ amount for anyperiod of time.
NOT NECESSARILY!!
Richard Cummins 9 August, 2019
AG Extension
12
The Stay does not apply to farms’ storage of propane.
On-farm “large vessel” STQ storage of propane requirescompletion of Top Screen.
The Stay does not apply to ammonia used as refrigerant.
Agricultural production facilities with refrigerationammonia use meeting the STQ threshold (e.g., largedairies and grow/pack orchards) are required to completethe Top Screen.
Richard Cummins 9 August, 2019
Essentials of the CFATS Program
13
Facilities in possession of Chemicals of Interest at or above the screening threshold quantities and concentration must submit a risk assessment
DHS uses information submitted through the online risk assessment (Top-Screen) to determine if a facility is high-risk / covered Covered facilities are placed in one of four tiers Tier one represents the highest risk
Covered facilities are required to develop and implement security plans that meet applicable risk-based performance standards (RBPS)
Chemical Security Inspectors assigned to all 50 States and U.S. territories conduct inspections, assist with compliance, and perform outreach
Richard Cummins 9 August, 2019
The CFATS Process
14
Submit Top-Screen
Submit Top-Screen
Provide aSecurity Vulnerability
Assessment (SVA)/Complete Site Security Plan (SSP) or
Alternative Security Program (ASP)
Provide aSecurity Vulnerability
Assessment (SVA)/Complete Site Security Plan (SSP) or
Alternative Security Program (ASP)
Receive Authorization
and an Authorization
Inspection
Receive Authorization
and an Authorization
Inspection
Receive Approval of the SSP/ASP
Receive Approval of the SSP/ASP
ImplementPlanned
Measures and Undergo Regular
Compliance Inspections
ImplementPlanned
Measures and Undergo Regular
Compliance Inspections
If the facility receives a tier…
Facility may be tiered in or drop out
Receive a Tier (1-4)
or be deemed not high-risk
High-risk facilitiesAll facilities with COI
DHS provides compliance assistance upon request at any stage of this process
More than 150 Chemical Security Inspectors are available for support across the country
Richard Cummins 9 August, 2019
Risk-Based Performance Standards
15
Risk-Based Performance Standards (RBPS) are the foundation of a facility’s Site Security Plan and drive the security standards at all tiered facilities.
RBPS provide facilities with flexibility and allow for the use of existing or planned measures, ideas, and expertise where appropriate.
A covered high-risk facility has to satisfy the applicable RBPS by implementing security measures appropriate to the facility’s risk tier.
Security measures appropriate to satisfy the RBPS will vary from one facility to another based upon level of risk and unique facility circumstances.
Richard Cummins 9 August, 2019
Risk-Based Performance Standards
16
1) Restrict Area Perimeter
2) Secure Site Assets
3) Screen and Control Access
4) Deter, Detect, Delay
5) Shipping, Receipt, and Storage
6) Theft and Diversion
13) Elevated Threats
14) Specific Threats, Vulnerabilities, or Risks
15) Reporting Significant Security Incidents
16) Significant Security Incidents and
Suspicious Activities
17) Officials and Organization
18) Records
7) Sabotage
8) Cyber
9) Response
10) Monitoring
11) Training
12) Personnel Surety
Rather than prescribe specific facility security measures, DHS developed 18 Risk-Based Performance Standards (RBPS)
Compliance with the RBPS will be tailored to fit each facility’s circumstances, including tier level, security issues, and physical and operating environments
RBPS-8 Cyber
RBPS-1 Restrict Area Perimeter
RBPS-10 Monitoring
Richard Cummins 9 August, 2019
Chemical Security Inspectors
17
Chemical Security Inspectors are located in all 50 States More than 150 Chemical Security Inspectors Organized into teams in each of the 10 Federal regions
Conduct: Authorization Inspections Compliance Assistant Visits Compliance Inspections Stakeholder Outreach
Chemical Security Inspectors also attend meetings with Federal, State, local, and private industry members
Richard Cummins 9 August, 2019
CFATS National Footprint
18
Number of Facilities, by Region0‐200 201‐400 401‐600 600+
Puerto Rico (Region 2)
- Hawaii(Region 9)- Guam (Region 9)
Region 1
Region 2
Region3
Region 6
Region 7
Region 8
Region 9
Region 10
Region 4
Region 5
Richard Cummins 9 August, 2019
Activities at CFATS Facilities
19
* “Since Inception of Program” statistics include facilities that were once tiered but no longer high-risk. Typical reasons include removal of a COI, reduction of COI quantity, replacement with lower concentration COI, and facility sale or closure.
0
1000
2000
3000
4000
5000
6000
Oct
-12
Jan-
13
Apr
-13
Jul-1
3
Oct
-13
Jan-
14
Apr
-14
Jul-1
4
Oct
-14
Jan-
15
Apr
-15
Jul-1
5
Oct
-15
Jan-
16
Apr
-16
Jul-1
6
Oct
-16
Jan-
17
Apr
-17
Jul-1
7
Oct
-17
Jan-
18
Apr
-18
Jul-1
8
Oct
-18
Jan-
19
Apr
-19
Authorizations Authorization Inspections Approvals Compliance Inspections
DHS continues to issue new high-risk tieringdeterminations as Top-Screens are submittedDHS continues to issue new high-risk tieringdeterminations as Top-Screens are submitted
As of April 2019CFATS covers 3,323 facilities
Since Inception of the Program
4,762 Authorizations *
3,951 AIs *
4,503 CIs *
3,508 Approvals *
Richard Cummins 9 August, 2019
Submitting and Protecting Information
20
Chemical Security Assessment Tool
(CSAT)CSAT is a set of online
applications.
These include:
• User Registration• Top-Screen• Security Vulnerability
Assessment/Site Security Plan • Personnel Surety Program
Chemical-terrorism Vulnerability Information
(CVI) CVI is the information protection category used to ensure secure
handling of certain sensitive CFATS-related information.
To access CVI, an individual must have passed CVI training
and have a need-to-know.
Richard Cummins 9 August, 2019
Improved Tiering Methodology and CSAT 2.0
21
DHS released the enhanced tiering methodology and Chemical Security Assessment Tool (CSAT) 2.0 in Fall 2016.
The enhanced tiering methodology accounts for the relevant elements of risk: Threat VulnerabilityConsequence
CSAT 2.0 consists of a revised Top-Screen, Security Vulnerability Assessment, and SSP All facilities with chemicals of interest (COI) at or above
screening threshold quantity (STQ) have to resubmit a new Top-Screen
Richard Cummins 9 August, 2019
Personnel Surety Program (PSP)
22
Personnel Surety Background Checks
Verify and Validate Identity
Check Criminal History
Validate Legal Authorization to Work in the U.S.
Identify People with Terrorist Ties
Personnel Surety includes vetting individuals with access to COI and other sensitive parts of high-risk chemical facilities
Risk-Based Performance Standard (RBPS) 12 requires background checks, including recurrent vetting against the Terrorist Screening Database
DHS began implementation of the Personnel Surety Program in December 2015. Tier 1 and 2 facilities have four ways to implement terrorist screening provisions:1. Direct vetting through DHS’s online tool2. Verifying credentials through DHS’s online tool3. Using an electronic credential reader, like a TWIC reader4. Visual verification of a credential
In December 2017, DHS published a PSP Information Collection Request in the Federal Register seeking approval to extend PSP vetting to Tier 3 and 4 facilities
Richard Cummins 9 August, 2019
What Should You Do Next?
23
Visit DHS.gov to access Appendix A
www.dhs.gov/publication/cfats-coi-list
2
1
3
If your facility manufactures, stores, or distributes any of the chemicals of interest (COI) in Appendix A at or above the minimum concentrations and screening threshold quantities, you are required to submit a Top-Screen
Submit a Top-Screen
https://csat-registration.dhs.gov/
Richard Cummins 9 August, 2019
Outreach Resources
24
DHS is committed to promoting chemical security awareness through outreach and fostering relationships within communities. CFATS continually develops new outreach resources in support of its outreach efforts and commitment to provide stakeholders with informative resources, including:
CFATS Overview Fact Sheet
CFATS First Steps Fact Sheet
Top Regulated COI Fact Sheet
Appendix – A Trifold
Shipping and Receiving COI Flyer
RBPS Specific Fact Sheets
Industry Specific Fact Sheets
Richard Cummins 9 August, 2019
Available Resources
25
Outreach: DHS outreach for CFATS is a continuous effort to educate stakeholders on the program. • To request a CFATS presentation or a CAV, submit a request through the
program website www.dhs.gov/cfats, or email DHS at [email protected].
CFATS Help Desk: Direct questions about the CFATS program to the CFATS Help Desk.• Hours of Operation are Mon. – Fri. 8:30 AM – 5:00 PM (ET)• CFATS Help Desk toll-free number 1-866-323-2957• CFATS Help Desk email address [email protected]
CFATS Web Site: For CFATS Frequently Asked Questions (FAQs), CVI training, and other useful CFATS-related information, please go to www.dhs.gov/cfats
Richard Cummins 9 August, 2019
Hometown Security
26
Richard Cummins 9 August, 2019 27
Richard Cummins 9 August, 2019
ADDITIONAL SLIDES
28
* You may choose to incorporate any of the additional slides below based on relevance
to your audience.
Richard Cummins 9 August, 2019
Current CFATS Population
29
TierCurrently CoveredFacilities
1 165
2 80
3 1,376
4 1,702
Total 3,323
Tier 1 - 5%Tier 2 - 2%
Tier 3 - 42% Tier 4 - 51%
Tier 1Tier 2Tier 3Tier 4
CurrentPopulation Distribution
Currently Covered Facilities
3,323
CurrentlyAuthorizedFacilities
396
CurrentlyApprovedFacilities
2,810
Currently*Tiered Facilities
117
* Facilities labeled as Currently Tiered reflect facilities that have received a tier but are awaiting Authorization
All statistics are current as of April 2019
Richard Cummins 9 August, 2019
Agricultural Production Facilities Extension
30
The extension applies to: Farms (e.g., crop, fruit, nut,
and vegetable) Ranches and rangeland Poultry, dairy, and equine
facilities Turf grass growers Golf courses Nurseries Floricultural operations Public and private parks
DHS is considering whether a modification to the Top-Screen requirement for agricultural production facilities might be warranted
In January 2008, DHS indefinitely extended the Top-Screen for farmers and other agricultural facilities that use chemicals of interest (COI) for certain agricultural purposes
Richard Cummins 9 August, 2019
Agricultural Production Facilities Extension
31
The extension does not apply to chemical distribution facilities or commercial chemical application services.
It applies only to agricultural production facilities that use COI in preparation for the treatment of crops, feed, land, livestock (including poultry) or other areas of an agricultural production facility or during application to or treatment of crops, feed, land, livestock (including poultry) or other areas of the facility.
Therefore, if your facility possesses COI at or above the screening threshold quantity for any other purpose, your facility is noteligible to claim the CFATS Top-Screen extension and you must comply with the CFATS regulation by submitting a Top-Screen
Richard Cummins 9 August, 2019
What is an Authorization Inspection?
32
Authorization Inspections are conducted at covered facilities to verify the facility content listed in the Site Security Plan (SSP) or Alternative Security Program (ASP) is accurate and that existing and planned measures satisfy the risk-based performance standards (RBPS).
DHS sends the facility a Letter of Authorization through CSAT
A Chemical Security Inspector will reach out to the facility to discuss:
A date and time for the inspection The scope of the visit The facility personnel required to be present Required documents to be made available Chemical-terrorism Vulnerability Information (CVI)
considerations Protective equipment and safety requirements
Richard Cummins 9 August, 2019
What is a Compliance Inspection?
33
A Compliance Inspection (CI) is conducted as part of the recurring inspection process after a Letter of Approval has been issued to ensure the facility continues to implement its approved security plan
Compliance Inspections are conducted: To ensure that both existing and planned security measures that are
identified in the approved SSP or ASP continue to be implemented fully and on schedule
To ensure that the equipment, processes, and procedures described in the SSP or ASP are appropriate and sufficient to meet the established risk-based performance standards
To ensure that required corrective actions have been implemented and are sustainable
To discuss other issues that have come up since the Letter of Approval
Richard Cummins 9 August, 2019
Active Shooter Preparedness
34
Richard Cummins 9 August, 2019
Active Shooter Response
35
Richard Cummins 9 August, 2019
CFATS KNOWLEDGE CENTER
36
Thhttp://csat-help.dhs.gov/.
Questions Regarding Chemical Facilities Anti-Terrorism Standards (CFATS):
CFATS Help Desk Phone: 866-323-2957
CFATS Email: [email protected]
For more information about critical infrastructure, visit:http://www.dhs.gov/critical-infrastructure