​

THE CHEMICAL FACILITY Anti-Terrorism Standards (CFATS), issued in April 2007, started a process that is reshaping security at thousands of chemical, petrochemical, and industrial facilities across the United States. In terms of fixed costs, human capital, and potential liabilities associated with noncompliance, CFATS imposes a high burden for owners and operators of the nation’s critical chemical infrastructure. And while the law that set these standards in motion sunsets in October 2009, no one expects that the industry will return to a less regulated state. The only question is what shape the law extending the regulations will take.

Meanwhile, companies must proceed with compliance through a cost-effective and comprehensive strategy that positions them for any changes to come.

The existing law provides that the Department of Homeland Security (DHS) use a risk-based performance-standard (RBPS) model to evaluate compliance. DHS can mandate a precise security outcome, such as requiring facilities to have strong perimeter barriers, but the agency cannot specifically dictate how a facility must achieve the desired security result. Whether a facility chooses to install a metal fence, build a concrete wall, or dig a deep moat is immaterial. The RBPS model is significant not only because it comports with a defense-in-depth security strategy but also because it gives a regulated facility the leeway to develop a layered combination of security measures tailored to its unique circumstances, geography, and operational environment.

Who Is Affected

Whether and to what extent a facility is subject to CFATS is a function of many factors, but particularly the type and quantity of chemicals that a facility possesses. These chemicals of interest (COIs), numbering more than 300, include exotic chemicals that have few (if any) legitimate uses, such as Sarin and Lewisite, as well as chemicals used routinely, such as chlorine.

Each COI has an associated screening threshold quantity (STQ), which serves as the potential-for-high risk trigger. The government preliminarily determined which facilities “present a high level of security risk” after a DHS analysis of their COI inventories, a process facilitated through an electronic data questionnaire known as the Top-Screen.

The Top-Screen is part of a Web-based suite of data collection tools known as the Chemical Security Assessment Tool (CSAT). Acting like a filter, the CSAT Top-Screen allowed DHS to collect and analyze vast amounts of facility-specific information, including all a facility’s COIs at or above their applicable STQ.

It should be noted that CFATS broadly defines “chemical facility” to mean “any establishment that possesses or plans to possess, at any relevant point in time, a quantity of a chemical substance determined by the Secretary to be potentially dangerous or that meets other risk-related criteria identified by the Department.”

As a result of this broad definition, large chemical and petrochemical facilities could be grouped together with a “mom-and-pop” pool supply company storing more than 2,500 pounds of chlorine in a vessel, a university research lab with a 15-pound cylinder of specialized gas, or a poultry farmer with more than 60,000 pounds of propane used to heat a chicken house.

With few exceptions, the expansiveness of the term “chemical facility” requires that any site using or storing industrial, specialty, or even common chemicals be assessed for potential CFATS applicability and possible submission of a Top-Screen under federal law.

By early 2008, DHS had collected more than 30,000 Top-Screens and determined that approximately 7,000 facilities were preliminarily high-risk. The approximately 7,000 that were deemed preliminarily high-risk were informed what chemicals resulted in or contributed to DHS’s initial high-risk determination. A facility might have reported ten COIs at or above the STQ on its Top-Screen, but DHS may have determined that only four of them posed an immediate high-security risk for CFATS compliance purposes.

Within the universe of high-risk facilities, all sites are not equal; the perceived consequence of a risk will drive a significant portion of DHS’s risk analysis. For example, DHS would likely deem that a facility located in a highly populated area and having a large quantity of a Toxic Inhalation Hazard COI, such as anhydrous ammonia, posed a greater risk than a similar facility located in a rural area.

Beginning in June 2008, DHS preliminarily ranked each of the approximately 7,000 sites into one of four risk-tiers, with Tier 1 being the highest risk and Tier 4 being the lowest. Of these, about 200 were categorized as Tier 1; 750 as Tier 2; 1,700 as Tier 3; and 4,300 as Tier 4.

The Top-Screen obligation is a continuing one for all chemical facilities not otherwise exempt by statute or rule. DHS’s determination that a facility does or does not present a high-level security risk is dynamic—an assessment taken at a precise point in time; it can change as circumstances change. For example, if a facility changes its processes and introduces new COIs at or above their STQs, DHS’s initial risk snapshot may no longer be accurate. This is considered a material modification; in such a case, the facility must submit a new Top-Screen to DHS within 60 days.

From the security practitioner’s standpoint, this dynamism can work to the company’s advantage, giving it the ongoing opportunity to make strategic decisions that could reduce the risk it poses and the regulatory burden it must bear. Many facilities have had their preliminary tier ranking adjusted or have exited CFATS regulation altogether due to such a “material modification” and subsequent Top-Screen resubmission.

Vulnerability Assessments

All preliminarily high-risk facilities had to complete a detailed security vulnerability assessment (SVA) within a prescribed time; for example, Tier 1 SVAs were due at the end of September 2008 and Tier 4 SVAs were due in early January 2009.

The CFATS borrows heavily from preexisting SVA methodologies, such as the SVA developed by the Center for Chemical Process Safety, but the CFATS SVA is unique in many respects because it is a COI-specific and asset-driven analysis with DHS-articulated attack scenarios. Like the Top-Screen, most facilities complete the SVA using the Chemical Security Assessment Tools.

Assume a facility has a single COI, acetylene. Among the steps to be taken would be that the facility must identify the equipment at the facility that contains the largest inventory of acetylene. Equipment may be vessels, process units, and piping, among other things.

The facility then must conduct a series of attack scenarios against the identified acetylene-containing asset, including an aircraft crash attack, a vehicle-borne improvised explosive device (VBIED), maritime/ boat-borne IED attack (if applicable), an assault-team attack, and a standoff attack.

The data submitted in the SVA are used by DHS to make the final determination as to whether the facility is, in fact, high-risk and to make a final determination of the facility’s tier level. High-risk facilities will be directed to enter phase three of the CFATS process: the creation of a detailed site security plan (SSP).

Site Security Plan

The SSP is the heart of CFATS compliance. By any standard, the creation, approval, and eventual implementation of the SSP will be a challenge.

The SSP must lay out what security measures will address each vulnerability identified in the facility’s SVA. It must describe how those measures will meet or exceed each applicable performance standard for the appropriate risk-based tier for the facility.

DHS must approve each SSP, which entails a two-step process consisting of an initial, high-level review, followed by a visit from a DHS inspector. Only after DHS approval of the plan does the facility implement the physical, cyber, process, and personnel security enhancements articulated in the SSP.

As previously described, Congress required DHS to adopt the risk-based performance standard model as the underlying structure for chemical facility security and, thus, for the SSP. However, Congress did not specify (or otherwise comment on) the precise nature of the RBPS. Congress deferred to DHS’s expertise to develop it as part of its rulemaking process.

In the end, DHS articulated 18 RBPSs while reserving its right to add to the list in the form of RBPS-19, which requires a regulated facility to “[a]ddress any additional performance standards the Assistant Secretary may specify.”

Many of the RBPSs reflect elements of security management already implemented by chemical companies, such as security enhancements undertaken by members of the American Chemistry Council (ACC), which adopted a Responsible Care® Security Code in the wake of 9-11. For example, the RBPS-1 directive to “[s]ecure and monitor the perimeter of the facility” pursuant to RBPS-1, and the RBPS-16 mandate to “[i]dentify, investigate, report, and maintain records of significant security incidents and suspicious activities in or near the site” are not new to many chemical sites.

Other aspects of RBPS could require significant enhancements. An example would be RBPS-4’s requirement to “[d]eter, detect, and delay an attack, creating sufficient time between the detection of an attack and the point at which the attack becomes successful…” and RBPS-12’s push for personnel surety; both continue to be the subject of much debate.

As noted, CFATS defines only the actual security outcome—for example, the requirement to “restrict area perimeter.” The technology, methods, or hardware a facility chooses to satisfy the requisite performance standard for its risk-tier is a facility-specific decision, the adequacy of which will be decided by DHS in consultation (and, in some cases, more formal negotiation) with each facility.

Performance standards give security planners the flexibility to select the most appropriate layered protective measures based on a facility’s unique considerations, thereby avoiding an imperfect “one size fits all” solution. This does not mean that DHS can’t offer specific guidance to assist facilities in understanding the intent of each RBPS. The agency has, in fact, issued detailed guidelines, which were first issued in draft form last year and released in final form May 15, 2009.

The document includes examples of specific measures and practices that a high-risk facility may choose to consider as part of its overall strategy to address the RBPSs.

In addition, the guidance includes an SSP form that must be completed by each facility to satisfy the requirement for developing an SSP.

More than 1,000 questions in length and organized around each of the 18 RBPSs, the SSP form is a data collection tool featuring several components: Facility Information, Facility Operations, Facility Security Measures, Asset Security Measures, and Submission.

The Facility Information section seeks basic information about the facility, such as its address and the dates of the facility’s most recent CFATS Top-Screen and SVA submission. This section also includes a pre-populated list of the COIs included in the DHS Final Notification Letter (the same letter that informs the facility of its final risk tier and the need to complete the SSP).

The facility must verify that the prepopulated COI list is accurate or report any discrepancies to DHS. This section also permits the facility to provide information about “Security/Vulnerability Issues Related to Other COI of Concern to the Facility.”

The Facility Operations section requires the facility to describe itself; provide name and contact information for the facility security officer (FSO), the assistant FSO, the chief security officer (CSO), and the chief information security officer (CISO); and provide significant detail regarding on-site and off-site emergency response capabilities.

For example, the SSP form asks whether the facility has a fire department, hazardous materials team, and any special response capabilities. Information on personnel and staffing as well as chemical operations is also sought. Along with the form, the facility can upload supporting documentation, such as aerial photos and plot plans.

An interesting option is to submit what DHS calls an Alternative Security Program (ASP) in lieu of the SSP. In that case, a facility would complete the SSP form up to where it asks if you intend to submit an ASP but before getting into the Facility Security Section. Because the ASP option is a less clearly defined process, a facility that selects this route may face more uncertainty with regard to whether the plan will pass muster.

The Facility Security section is the most detailed: the facility must answer multiple questions pertaining to all applicable RBPSs. This section parallels the DHS guidance document mentioned earlier. For each of the RBPSs, the guidance lists many security options a facility might consider to satisfy the performance requirement or a particular aspect of it. Generally, the SSP form takes the guidance’s protective concepts and examples for each RBPS and turns them into a yes/no choice.

RBPS 2.2, for instance, concerns anti-vehicle measures, and the guidance discusses barrier concepts that could satisfy the need for anti-vehicle measures. The SSP, under Section 2.2, has some of those barriers listed; the facility can check the measures adopted or add one under “other.”

The “other” box might be used if the facility has employed anti-vehicle measures not listed in the SSP or where a simple yes/no choice does not adequately communicate the security measure or relevant circumstances to DHS.

For RBPS-1 (Restrict Area Perimeter), the SSP form asks “[d]oes the facility have any existing, planned, or proposed security measures for RBPS 1?” Assuming the answer will be “Yes” in most instances, the facility will then answer a series of detailed yes/no questions regarding the perimeter. This line of questioning covers topics ranging from whether the perimeter includes a clear zone to issues associated with perimeter intrusion detection systems per the protective concepts and examples in the RBPS guidance under perimeter security.

For each RBPS, the facility has the option of including Planned Measures and Proposed Measures. Planned Measures are security measures, enhancements, or processes that the facility intends to implement, and “…the facility wants DHS to consider in determining the satisfaction of the RBPS.” DHS will verify these planned security measures, which could be evidenced by a purchase order or a building permit.

Proposed Measures provide a mechanism for the facility to gain analytical feedback from DHS regarding possible security enhancements. These are not considered by DHS for SSP approval purposes.

In the Asset Security Measures section, the facility may describe security for specific facility assets distinct from security measures that apply facility-wide.

After completing the SSP, the facility validates and submits the SSP, thereby initiating DHS’s review. Facilities must submit the SSP via the CSAT within 120 calendar days of written notification from DHS.

A word of caution: Because the SSP form essentially turns each RBPS into a series of yes/no questions, the complexity of some of the RBPSs can be easily lost or overlooked. In addition, and perhaps most importantly, the SSP does not result in a functional security plan that can be used for day-to-day operational purposes.

Consider RBPS-12. It requires that the facility “[p]erform appropriate background checks on and ensure appropriate credentials for facility personnel, and as appropriate, for unescorted visitors with access to restricted areas or other critical assets….”

DHS specifies four mandatory components of a CFATS personnel surety program: “(1) measures designed to verify and validate identity; (2) measures designed to check criminal history; (3) measures designed to verify and validate legal authorization to work; and (4) measures designed to identify people with terrorist ties.”

Neither the SSP questionnaire’s yes/no query regarding RBPS-12 nor the RBPS guidance addressing this topic go far to assist a facility in implementing a personnel surety program in practice.

Personnel surety transcends security and will require the assistance of the human resources department. HR should be made aware of RBPS-12 (many are not) and enlisted to work with the CSO to ensure compliance. For example, HR and the CSO should review the organization’s current background screening procedures with an eye toward scope and applicability.

Scope has two aspects; one refers to the types of crimes, conduct, or behavior that may disqualify an individual as it applies to employment or a class of employment. It may be job specific; for instance, a drunk driving conviction might disqualify a person from driving a truck but not from working in accounting.

A second aspect of scope would concern what type of job is covered. There’s some discretion. CFATS requires screening of facility personnel and, as necessary, visitors who have unescorted access to critical or restricted areas.

Next is applicability. That means that the corporation’s current personnel surety program should be assessed specifically in the context of CFATS. For example, depending on the scope of the current program’s criminal history provisions, it may be necessary to expand the list of disqualifying crimes under RBPS-12.

This begs the obvious question: What crimes should a background check cover and how far back should it look? Some companies plan to model RBPS-12’s requirement after the list of crimes established by the Transportation Security Administration under its Transportation Worker Identification Credential (TWIC) program. Pursuant to federal law (49 CFR § 1572.103), a person convicted of certain crimes is either permanently or preliminarily disqualified from obtaining a TWIC ID card, which enables the holder to have unescorted access to secure areas of certain Coast Guard-regulated maritime facilities and vessels.

Applying the TWIC crimes is probably a good practice. In fact, DHS has now stated that “a facility may choose to forgo additional background checks on any individual who possesses a current, authentic TWIC.”

As a part of a personnel surety program, companies will have to run names by the government to be screened against classified terrorist databases. DHS has said that it will provide a secure portal or other means by which companies can submit names that can be run against these lists, not to be confused with the “Specially Designated Nationals and Blocked Persons” list maintained by the U.S. Department of the Treasury’s Office of Foreign Asset Control, which is publicly available.

Sensitive But Unclassified

An equally complex aspect of SSP development and eventual implementation will be managing the vast amounts of Chemical-Terrorism Vulnerability Information (CVI) that CFATS will generate. CVI represents a type of “sensitive but unclassified” information that must be protected from unauthorized disclosure. The CFATS regulations delineate eight specific categories of information that constitute CVI, including SVAs and SSPs.

Only CVI authorized users with a “need to know” may gain access to CVI. This has presented a unique challenge, as some CSOs have been handed the ginger task of requesting that their most senior leadership take DHS’s required online “CVI Authorized User” training before engaging in a conversation about CFATS that could reveal CVI.

In addition, the CFATS regulations prescribe specific ways that facilities must mark and otherwise handle CVI. For example, the top of every page of a CVI paper record must display a “protective marking” which is simply the capitalized words “CHEMICAL-TERRORISM VULNERABILITY INFORMATION.”

Determining what is—and what is not—CVI has already been a challenge. For example, SVAs submitted to DHS for the purpose of CFATS compliance are CVI. However, a preexisting SVA that a facility conducted voluntarily after 9-11 is not CVI even if the two documents share some of the same information.

Many companies have already developed CVI policies and procedures and have conducted CVI training for employees beyond the online training DHS mandates through the authorized user validation process, which is merely an overview of CVI that does not sufficiently inform personnel regarding their responsibilities as they relate to the day-to-day handling of CVI.

Companies also have to grapple with CFATS recordkeeping requirements. Some of them have raised concerns regarding the scope of the recordkeeping provisions articulated in the regulation.

For example, CFATS requires a facility to record the “maintenance, calibration, and testing of security equipment” for a period of three years. This record must include the “…date and time, name and qualifications of the technician(s) doing the work, and the specific security equipment involved for each occurrence of maintenance, calibration, and testing.”

While the maintenance, calibration, and testing of a facility’s intrusion detection system would certainly be a covered record, ambiguity arises in other contexts. Would merely cleaning a surveillance camera’s lens at regular intervals rise to the level of “maintenance” contemplated by the regulation? Also, maintenance, calibration, and testing of security equipment records may be CVI.

CFATS likely means that the number of people who will have to get CVI authorized-user clearance is going to grow exponentially. For example, security officers may need to obtain a CVI authorized-user clearance. Vendors may also have to do so.

That’s just a glimmer of the complexity involved in complying with CFATS, which will continue to present challenges. Not surprisingly, that complexity carries a high price tag. By the calculations of the Department of Homeland Security, prepared for the Office of Management and Budget (OMB), the cost of CFATS compliance over a nine-year period is estimated to be $8.5 billion. This figure assumed 5,000 CFATS-regulated facilities.

According to one security director at a chemical company with multiple regulated facilities, the OMB estimate is “likely low in terms of the number of regulated sites and the inflation-adjusted cost of security enhancements.”

Some CSOs responsible for multiple regulated facilities have sought in excess of $30 million from senior leadership for CFATS compliance solely to get through SSP development and implementation.

Because of its cost and its significance, CFATS merits attention at the highest levels. CEOs, CFOs, and the corporate boards of major companies have been or should be briefed on CFATS. The security of chemical facilities can no longer be left to the lower corporate echelons.

Steven E. Roberts is an attorney with Roberts Law Group, based in Houston, Texas. He assists companies in complying with CFATS and other homeland security regulations. The firm’s Web site iswww.chemicalsecurity.com.