CFATS Packs A Punch

​The Chemical Facility Anti-Terrorism Standards (CFATS) program got off to a bit of a rough start. In its first five years, it didn’t approve a single facility site security plan and was only authorized year-to-year via fiscal year funding for the U.S. Department of Homeland Security (DHS). In its first few rounds in the ring, CFATS could barely make it to the bell.

Fast forward from 2010 to 2015 however, and CFATS has come out swinging, rejuvenated by efforts to streamline the program, a focus on outreach to stakeholders, and a four-year authorization by Congress—a major victory for the program now in its eighth year. Security Management sat down with David Wulf, director of DHS’s Infrastructure Security Compliance Division, which oversees CFATS, to discuss these efforts and their implications for private security. 

“It puts the program on stable footing, so it enables us to plan for the future of the program to continue to recruit and retain the best and brightest,” Wulf says. “It also provided much-deserved regulatory certainty for our industry stakeholders who, as they contemplate making CFATS-related investments in security, have the assurance that the program is really and truly here to stay.”

Authorized in 2007, CFATS identifies and regulates high-risk chemical facilities to ensure they have security measures in place to reduce the risks associated with these chemicals. Facilities are divided into tiers (1 through 4) and are required to prepare security vulnerability assessments—which identify facility security vulnerabilities—and develop and implement site security plans that include measures that satisfy 18 identified risk-based performance standards.

Approximately 3,400 facilities in the United States—ranging from chemical manufacturers to fisheries to prisons—fall under CFATS regulations. “The universe of CFATS-regulated facilities is a pretty broad and diverse one,” Wulf says. “It’s much more than what folks might normally think of as a chemical facility.”

CFATS recently received a major boost with the passage of the CFATS Act by Congress. It not only authorizes the program for an additional four years, it also introduces new aspects to the program to further streamline the compliance process—both for DHS officials and for regulated facilities.

One of the major new developments with the passage of the CFATS Act is the creation of an Expedited Approval Program for Tier 3 and Tier 4 facilities. 

Traditionally, the CFATS approval program requires regulated facilities to submit a site security plan to the program. CFATS then reviews the plan—called authorization—and completes an authorization inspection, which allows CFATS inspectors to visit the facility and meet with stakeholders to discuss how the site can meet the 18 risk-based performance standards they are required to address through nonprescriptive guidance. 

The facility then creates a site security plan that best addresses the unique characteristics of its facility. That plan is submitted to CFATS for approval, the facility implements its plan, and CFATS conducts compliance inspections to ensure that the plan meets regulations. 

With expedited approval, however, facilities will be placed on a fast track for approval. “It was really the brainchild of now-retired Sen. Tom Coburn (R-OK), who was looking at ways in which he could provide us a means to more quickly get through the backlog of site security plans that are awaiting approval,” Wulf explains. 

To qualify for the program, Tier 3 and Tier 4 facilities will submit a site security plan that shows how they will meet the risk-based standards using methods that CFATS has outlined. If these methods don’t deviate from CFATS  guidelines, the facilities will automatically be granted approval and enter into the compliance cycle, bypassing the authorization inspection process.

For instance, CFATS-regulated facilities have to address perimeter security and have measures designed to deter, detect, and delay terrorist attacks. Under the normal approval process, facilities can choose a variety of measures to address this risk. “If a facility wants to do the expedited approval, it will have to essentially say, ‘I agree. We will have at least an 8-foot fence,’” Wulf explains.

The specific options that facilities can use to address the risk-based standards will be listed in guidance that the program plans to release this summer in the Federal Register and online. They were developed using best practices learned by DHS and stakeholders over the lifetime of the program, Wulf adds.

With the passage of the CFATS Act, the program is also pursuing approval from the Office of Management and Budget (OMB) for an information collection request. If approved, it will give facilities three different ways to comply with the part of the standard that requires a check to determine whether employees have ties with terrorists. 

One option is allowing facilities to submit to DHS the personal identifying information of individuals who will have unescorted access to high-risk chemical facilities and their chemical holdings. Those individuals include employees and contractors who may have access to restricted areas of the facilities. That information will then be vetted against the Terrorist Screening Database, and the facility can allow those individuals access.

A second option allows facilities to leverage existing vetting programs and submit a limited amount of information to DHS to run a check on individual Transportation Worker Identification Credential (TWIC) cards or hazardous materials endorsements on commercial driver’s licenses. This option “would essentially verify the continuing validity of those existing credentials to ensure that they’re not counterfeit or expired,” Wulf adds.

The final option CFATS hopes to make available would be an electronic vetting option. It would allow facilities to use electronic vetting technologies, like TWIC card readers, without submitting additional information to CFATS. “Essentially, if a facility so chooses, it will be able to allow folks to rely on vetting essentially through visual inspection, allowing folks to use TWIC cards or other credentials as a flash pass,” Wulf says.

Once DHS receives approval from OMB, it plans to roll out the options for compliance in a phased manner, beginning with facilities that have already received approved security plans.

CFATS is also continuing its efforts to streamline various program processes, making considerable progress over the past few years by approving more than 1,700 site security plans—the approximate mid-point for nearly all regulated facilities.

It’s specifically worked to streamline the inspection process by doing more preliminary work with facilities before inspectors show up on site. “There are phone conversations, conference calls between the facilities and inspectors where they go through many of the risk-based performance standards, and they clarify what sorts of things will be important to have taken care of before the inspection,” Wulf adds. 

CFATS is also taking a more corporate-friendly approach for companies that have multiple facilities regulated under the program. “More than a third of our regulated population consists of facilities that are part of multiple-facility companies,” Wulf explains. “And so where companies have multiple CFATS facilities, we give them the option to have assigned a company point of contact within our division.”

That point of contact works with the company at the corporate level to look at inspection scheduling efficiencies and to look at security policies that apply across all the company’s facilities. This allows inspectors to be familiar with the corporate security policies that exist when they get on site, making the inspection and site security plan approval process progress more quickly.

Additionally, CFATS continues to offer compliance assistance to regulated facilities through services like its help desk so they aren’t developing their site security plans “in a vacuum,” Wulf adds. “Our inspectors, our headquarters security specialists, are available. Our inspectors will make site visits—called compliance assistance visits—to work with facilities as they consider different options for meeting those nonprescriptive risk-based performance standards.”

This type of “full service” assistance is a significant part of the CFATS program and is one of the reasons it’s been able to make so much progress over the past few years. “The buy-in we’ve had from our regulated industry stakeholder community has been a huge part of why we’ve been able to make the progress that we have,” Wulf says. “And continuing to foster and continuing to focus on that compliance assistance as a priority is going to certainly be important going forward.” 

Wulf says he’s optimistic that CFATS will approve at least 2,000 site security plans by this summer and complete site-security plan approvals within the next few years. 

“We’re excited within the next year-and-a-half to get through the backlog of site-security plan approvals and get the program into a regular cycle of compliance inspection activity,” Wulf explains. “Essentially, that means getting out on a regular basis to inspect facilities that have already gotten their site security plans to the point of approval.”