CFATS Regulatory Update
Posted: September 22nd, 2020Authors: All4 Staff
Over the summer, there have been several key developments with regards to the Department of Homeland Security’s (DHS) Chemical Facility Anti-Terrorism Standards (CFATS) program, including a Federal Register Notice, Reauthorization, Personnel Surety Program (PSP) Rollout, and COVID. Read on to see how these developments could impact your facility.
June Federal Register Notice and Potential Impacts
On June 22, 2020, DHS Cybersecurity and Infrastructure Security Agency (CISA) published Federal Register Notice (Vol. 85, No. 120) regarding a retrospective analysis of the data, assumptions, and methodology used to support the 2007 interim final rule for the Chemical Facility Anti-Terrorism Standards (CFATS) program. This analysis reviewed the actual costs of the CFATS program over its first 10 years and determined that the actual cost of the program was about 83 percent lower than the original 2007 estimate. Comments on the retrospective cost analysis were due by September 21, 2020.
This dramatic overestimation by the 2007 regulatory impact analysis (RIA) was primarily driven by DHS’s uncertainty on two fronts:
- The total number of facilities that would ultimately be affected by the program, and
- The security measures chemical facilities had already put into place prior to the program’s implementation.
Fewer facilities ended up being affected, and more security measures were already in place at affected facilities than CISA initially predicted. As a result, of the originally estimated roughly $9.8 billion the agency expected CFATS to cost, only about $1.7 billion was actually required to implement the program.
Potential Regulatory Outcomes
According to the June 22 Notice, CISA will use the RIA:
- “To improve the accuracy of cost estimates incurred by regulated facilities since 2007;
- as a basis for future regulatory changes to the CFATS program; and
- to perform cumulative impact analysis on the full costs of the program as it evolves.”
Based on discussions with DHS, ALL4 understands that changes in the CFATS program will likely be related to the chemicals of interest (COI) listed in Appendix A to 6 CFR Part 27 and their respective threshold quantities. To date, there have been no changes to the COI list (or to the threshold quantities described therein) since its publication in 2007, less than a year after CFATS first appeared on the Federal Register. Since that time, DHS has gained experience regarding the true threats posed by chemicals onsite at regulated facilities and their threshold quantities.
Although the June 22 Notice does not suggest specific updates to the COI list, future updates to Appendix A could result both in additional facilities becoming “Tiered” CFATS facilities and in additional chemicals at already “Tiered” CFATS facilities becoming “Tiered” COI. To gain insight into what potential changes DHS may propose to Appendix A, ALL4 investigated the development of Appendix A. The Federal Register Proposed Rule 6 CFR 27 (Vol. 71, No. 249, December 28, 2006) listed information to be reviewed by the Vulnerability Assessment (VA) Team as appropriate for determination of critical assets and development of Appendix A, including:
- Regulatory lists of hazardous chemicals, such as Clean Air Act 112(r) list of flammable and toxic substances for the U.S. EPA Risk Management Program (RMP) or the Occupational Safety and Health Administration (OSHA) Process Safety Management (PSM) list of highly hazardous chemicals,
- Inhalation poisons,
- Chemical Weapons Convention list,
- Federal Bureau of Investigation (FBI) Community Outreach Program for Weapons of Mass Destruction materials and precursors,
- The Australia Group list of chemical and biological weapons, and
- Chemicals susceptible to reactive chemistry.
A review of this information against your facility’s chemical inventory may provide insight into how potential changes to Appendix A may affect your facility. DHS may also adjust (increase or decrease) the threshold quantities for chemicals currently listed in Appendix A. Any future changes to 6 CFR Part 27, including Appendix A, would be subject to rulemaking, including a public comment period.
Following years of Congressional inaction on a reform package for CFATS, the Trump Administration issued a series of short-term extensions to the program between 2018 and 2020, the most recent of which was slated to expire on July 23, 2020. On July 22, one day before the program expired, President Trump signed a reauthorization to extend the current CFATS program by three years.
As discussed in our previous article on the CFATS PSP Process, pursuant to Federal Register Notice (84 FR 32768) issued on July 9, 2019, Tier 3 and 4 facilities are being contacted by DHS and notified of the requirement to comply with RBPS 12(iv). DHS is taking a phased approach to the rollout, sending approximately 80 notifications a month beginning in May of 2020. Following notification, a facility will have 30 days to submit an updated Site Security Plan (SSP) or Alternative Security Plan (ASP), indicating how the facility intends to comply with the requirements of RBPS 12(iv). The updated ASP should address the following questions:
- Who does the facility define as an affected person (e.g. persons with access to the COI, all employees, all individuals entering the facility)?
- How will affected individuals be notified of their personally identifiable information (PII) being provided to DHS (such as by letter or in-person)?
- Will the facility update DHS when individuals no longer have access to the COI (e.g. change in job assignment, termination)? (Note: Facilities do not have to notify DHS, but it is recommended)
- Who will safeguard the PII of employees being submitted to DHS (this is typically someone in the Human Resources Department)?
Although no action is required until the facilities have been notified, voluntary participation prior to notification is allowed.
Due to complications and travel restrictions related to COVID-19, DHS has postponed over 200 compliance inspections and several authorization inspections. This affects both the format and expected frequency of inspections going forward.
DHS is taking a two-pronged approach to its modified inspections of facilities:
- Remote Documentation Audits – DHS will request that facilities send (typically, electronic) copies of their compliance documentation to their inspector a few weeks prior to the scheduled inspection for review. The inspector may follow-up with questions or request a conference call to review the documentation.
- Modified In-Person Inspection – The inspector will come onsite for a brief inspection of physical security measures, typically avoiding large group conference room settings.
While DHS continues in its aim to inspect Tier 1 and 2 facilities every 12 months and Tier 3 and 4 facilities every 12-18 months, follow-up compliance inspections may be delayed as DHS catches up on postponed compliance inspections. The modified inspection format highlights the importance of having CFATS documentation compiled and ready to send to an inspector. ALL4 recommends that CFATS facilities maintain compliance binders containing CFATS-related procedures, recordkeeping templates, and sample records.
Throughout COVID, DHS continues to visit facilities in need of assistance, and ALL4 recommends that facilities maintain communication with their DHS contacts.
If you have questions regarding CFATS or any of the 2020 developments, please contact Lizzie Smith at firstname.lastname@example.org or at (770)-999-0269.