What to Expect When You’re Expecting a CFATS Compliance Inspection
Posted: June 11th, 2020Authors: Lizzie S.
The U.S. Department of Homeland Security (DHS) administers the Chemical Facility Anti-Terrorism Standards (CFATS) program, intended to set standards and monitor the security of listed hazardous chemicals stored at certain locations. Each “high risk” facility covered by the CFATS program is required to submit and maintain an Alternative Security Program (ASP) or Site Security Program (SSP), which contains security measures that sufficiently meet all Risk-Based Performance Standards (RBPS). Once your ASP or SSP has been approved and timelines for implementing planned measures have expired, DHS will reach out to schedule your first compliance inspection. What do you need to know before your inspector shows up?
While DHS can show up at your facility unannounced, typically DHS will reach out to schedule your compliance inspection. Depending on the size of your facility and the number of chemicals of interest (COIs), the inspector will may plan to be onsite for 1-2 days. However, with sufficient prep work on your part, the inspector may get everything he or she needs within 2-4 hours onsite. Let the inspector know what personal protective equipment (PPE) they will need to have to come onsite, and coordinate providing any PPE they may not have.
Ensure that all necessary individuals are available to participate in the inspection as needed, including your Facility Security Officer (FSO), Plant Manager, Human Resources, Chemical of Interest (COI) area “owners,” security personnel, training managers, Project Managers/Engineers for any physical security upgrades required by the SSP or ASP, and Information Technology (IT) personnel. Ensure that all individuals are Chemical-Terrorism Vulnerability Information (CVI) Authorized Users and obtain copies of all of their CVI certificates – your inspector will ask to see these before beginning the inspection. Plan to have all individuals attend a kick-off meeting once the inspector arrives. The kickoff meeting should be used to clearly define the purpose of the inspection, the plans for the day, the expectations of the inspector, and safety and emergency procedures for the site. The inspector may ask for some individuals to stay and for others to remain available in the event of questions. Upon completion of the inspection, conduct a close-out meeting with the group. The inspector will review findings and there will an opportunity for all parties to ask questions.
The better prepared you are for your compliance inspection, the more efficient the inspector can be with the on-site portion of the inspection. It is best to pull together all records and documentation ahead of the inspection and store these documents in a binder. For each type of record required, pull a few sample records to show the inspector. If you do not have any completed records, for example if you have not had any security breaches, provide your recordkeeping template that would be used when needed. Be sure to have the following information handy:
- A diagram or map of your facility for reference if needed
- SSP or ASP
- Date of implementation for all planned security measures
- Training records
- Key access logs, as applicable
- Records of security breaches
- Records of drills and exercises
- Emergency Response Plan
- Policies or procedures pertaining to existing or planned security measures
- Annual self-audit
- Security post-orders
- Security logs (e.g. round sheets, visitor sign-in logs)
- Communication with law enforcement, including invitation to come onsite
- Maintenance records for security equipment
- COI inventory on the day of inspection in pounds (the inspector will compare against the maximum inventory in the most recent Top-Screen)
- List of individuals who were background checked as required by RBPS 12, with the date that background checks were completed
- IT network map, name of firewall and operating system
The inspector will likely want to lay eyes on your COI(s), their respective control rooms, and any physical security upgrades required by your SSP or ASP. The inspector may also ask questions regarding the facility perimeter and facility entrance points. If you have security cameras installed, the inspector may ask for operators or security guards to roll back the footage to a night-time view. The inspector may ask questions of the security personnel and/or operators.
After the Inspection
If this was your initial compliance inspection and your SSP or ASP included planned security measures, the inspector will likely recommend submitting an updated SSP or ASP to reflect that your planned security measures are now existing security measures. This update will make future compliance inspections even simpler. If you are a Tier 3 or 4 facility and have not yet been notified by DHS of the requirement to screen employees with access to the COI for terrorist ties, you can wait until you have received that notification to submit your updated SSP or ASP – see our previous article on personnel surety for more information.
DHS is currently restricting travel and is not conducting in-person inspections. We have heard of some inspectors planning to conduct inspections virtually, with a follow-up site visit for the physical inspection in the coming months. Virtual inspections may include sending copies of your records and documentation physically or electronically to your inspector and setting up a conference call to review. When sending CVI material physically or electronically, be sure to follow the instructions on the CVI cover sheet.
If it has been a year since your SSP or ASP approval and you have not been contacted by DHS for an inspection, or if it has been more than 12-18 months since your previous compliance inspection, reach out to your DHS contact to ask how they are planning to handle inspections in the near-term.
ALL4 provides CFATS compliance inspection support and can help you prepare for and succeed in your compliance inspections. For all of your CFATS-related questions, please contact me at firstname.lastname@example.org or at (770) 999-0269. Look for more CFATS content from ALL4!