Alternate Security Program (ASP) Guidance for CFATS Covered Chemical Facilities

Transcription

1 Alternate Security Program (ASP) Guidance for CFATS Covered Chemical Facilities Developed by the American Chemistry Council in cooperation with the Department of Homeland Security 2 nd Edition: December, P a g e

2 Alternate Security Program (ASP) Guidance for CFATS Covered Chemical Facilities Table of Contents Introduction... 4 Determining Applicability of CFATS to Chemical Facilities... 4 Chemical Security Assessment Tool... 4 Register to Access CSAT... 5 Top Screen... 5 Security Vulnerability Assessment... 5 CFATS Tier Levels and Risk Based Performance Standards... 5 Site Security Plan... 5 Alternate Security Programs (ASPs)... 5 Required Elements of SSPs and ASPs... 6 Template and Instructions for Completing an Alternate Security Program (ASP)... 6 Review and Approval of an Alternate Security Program (ASP)... 7 Submission Schedule... 7 Material Modifications... 8 Requests for Redetermination... 8 More on CFATS Tier Levels and Risk Based Performance Standards (See Appendix A3)... 9 Preparing for a CFATS Inspection Pre-Authorization Inspections... Error! Bookmark not defined. Authorization Inspections...10 Preparation...11 During the Inspection...13 A1. Definitions and Acronyms A2. Alternate Security Program Template A3. CFATS Risk-Based Performance Standards A4. CFATS Reference Links P a g e

3 3 P a g e

4 Introduction On October 4, 2006, Congress passed Section 550 of the DHS Appropriations Act of 2007 ( Section 550 ), granting the U. S. Department of Homeland Security (DHS) the authority to regulate chemical facilities that present high levels of security risk. Then on December 18, 2014, the President signed into law the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014 ( the CFATS Act of 2014 ), which recodifies and reauthorizes the CFATS program for four years. The Chemical Facility Anti-Terrorism Standards (CFATS) final rule was published in the Code of Federal Regulations (6 CFR part 27) on April 9, CFATS establishes a risk-based performance standards approach to screening and securing chemical facilities determined by DHS to be high risk. CFATS requires facilities that possess Chemicals of Interest (COI) at or above applicable screening threshold quantities (STQ) to complete Top-Screen questionnaires. After reviewing the Top-Screen, DHS assigns each facility that is initially determined to be high risk to a preliminary risk tier. Each preliminarily high-risk facility is then required to submit a Security Vulnerability Assessment (SVA). Facilities still deemed high risk after DHS review of the SVA are notified of their final risk tier and required to complete a Site Security Plan (SSP) that satisfies the applicable CFATS risk based performance standards. CFATS allows chemical facilities to submit an Alternate Security Program (ASP) in lieu of a Site Security Plan. DHS Inspectors will visit each high-risk facility and verify the facility s adherence with the ASP before final DHS approval for the facility to continue operation. CFATS specifically exempts the following facilities from regulation under CFATS: facilities regulated under the Maritime Transportation Security Act; facilities owned or operated by the Department of Defense or Department of Energy; facilities regulated by the Nuclear Regulatory Commission; public water systems (as defined by section 1401 of the Safe Water Drinking Act), and water treatment works (as defined by section 212 of the Federal Water Pollution Control Act). Determining Applicability of CFATS to Chemical Facilities Chemical Security Assessment Tool The Chemical Security Assessment Tool (CSAT) is a web-based system used by the DHS to collect and analyze key data from chemical facilities under CFATS. As part of the CSAT system, the User Registration Application is used to grant CSAT access to authorized users. The User Registration Application allows each organization to designate individuals who will be responsible for inputting and verifying the information entered into the CSAT system. This User Guide provides guidance on how to register users and information on specific CSAT user roles and responsibilities. 4 P a g e

5 Register to Access CSAT DHS encourages facilities to register on the CSAT website for a user identification and password if they believe they may be covered by CFATS. Once DHS validates a facility's registration, it will notify the facility how to access CSAT. Information about CSAT is available here: The CSAT User Registration User Guide is located here: To register go to: Top Screen After receiving access to CSAT, facilities are provided access to the Top-Screen, which enables DHS to determine if they are initially considered a high-risk chemical facility covered by CFATS. Security Vulnerability Assessment For facilities that are initially considered high-risk, the Security Vulnerability Assessment (SVA) tool will be available on CSAT. The completed SVA helps DHS to estimate the vulnerability of a chemical facility to a range of defined threat scenarios and to make a final determination of risk level. CFATS Tier Levels and Risk Based Performance Standards If DHS makes a final determination that a facility is considered high-risk for the purposes of CFATS, the facility is assigned a risk tier from 1 (highest) to 4 (lowest). The risk tier determines the level of performance of the facilities protective measures needed to meet the CFATS Risk Based Performance Standards (see More on CFATS Tier Levels and Risk Based Performance Standards and Appendix A3). Site Security Plan Once the final determination of tier level is made, the owners/operators must use CSAT to document the facility security measures in the Site Security Plan (SSP) tool. The tool allows for either the submission of a Site Security Plan or an Alternative Security Program. Alternate Security Programs (ASPs) CFATS presents all covered facilities with the option to submit an Alternate Security Program (ASP) in place of a Site Security Plan (SSP). The Assistant Secretary may approve an ASP, in whole, in part, or subject to revisions or supplements, upon a determination that it meets the requirements of CFATS and provides for an equivalent level of security to that established by CFATS. 5 P a g e

6 Facilities that elect to submit an ASP do so via the CSAT portal. The CSAT preparer proceeds to complete the initial sections of the SSP, and uploads the ASP when prompted to do so. The remainder of the SSP is not completed. Required Elements of SSPs and ASPs CFATS outlines the standards for SSPs and by extension for ASPs in 6 CFR Part as follows: (1) Address each vulnerability identified in the facility's Security Vulnerability Assessment and describe the security measures to address each such vulnerability; (2) Identify and describe how security measures selected by the facility will address the applicable risk-based performance standards and potential modes of terrorist attack including, as applicable: (a) vehicle-borne explosive devices, (b) water-borne explosive devices, (c) ground assault, or (c) other modes or potential modes identified by the Department; (3) Identify and describe how security measures selected and utilized by the facility will meet or exceed each applicable performance standard for the appropriate risk-based tier for the facility; and (4) Specify other information the Assistant Secretary deems necessary regarding chemical facility security. When a covered facility updates, revises or otherwise alters its SVA, the covered facility shall make corresponding changes to its ASP. A covered facility must update, revise or otherwise alter its SVA to account for new or differing modes of potential terrorist attack or for other securityrelated reasons, if requested by the Assistant Secretary. A covered facility must conduct an annual audit of its compliance with its ASP. DHS will provide notice to a covered facility about the approval or disapproval, in whole or in part, of an ASP, using the procedure specified in if the ASP is intended to take the place of a SSP. Template and Instructions for Completing an Alternate Security Program (ASP) The American Chemistry Council ( ACC ) has developed, in cooperation with DHS ISCD and the National Association of Chemical Distributors, a template that may be used to complete an ASP in lieu of a SSP. This Template is an improvement over the original ASP that ACC developed in 2012 and offers numerous improvements. Facilities electing to use this template, using the guidance and instructions provided, may find that this format is not only adequate for submission to the DHS, but is more suitable to use as a practical site tool for implementing the 6 P a g e

7 ASP than if the DHS CSAT SSP was utilized. ACC takes no responsibility for any action taken by an individual ACC member or other party. The ACC ASP Template, along with guidance and instructions, are included in Appendix A2. Review and Approval of an Alternate Security Program (ASP) DHS will review the ASP documentation and make a preliminary determination as to whether it satisfies the requirements. If DHS finds that the requirements are satisfied, DHS will issue a Letter of Authorization to the covered facility. Following issuance of the Letter of Authorization, DHS will inspect the covered facility for purposes of determining compliance. If DHS approves the ASP, it will issue a Letter of Approval to the facility, and the facility shall implement the approved ASP. DHS cannot disapprove an ASP based on the presence or absence of a particular security measure. DHS may disapprove an ASP that fails to satisfy the risk-based performance standards established in (see Appendix A3). If DHS disapproves an ASP, it will provide the facility with a written notification that includes a clear explanation of deficiencies. The facility shall then enter into further consultations with DHS and resubmit a revised ASP by the time specified in the written notification provided by DHS. If the resubmitted ASP is determined not to satisfy the requirements, DHS will provide the facility with written notification (including a clear explanation of deficiencies) of DHS's disapproval. In the event that the owner or operator of a facility takes issue with the disapproval determination by DHS of an ASP, the owner or operator may institute proceedings for adjudication of the determination by a neutral adjudicating officer appointed by DHS. A Notice of Application for Review must be filed within seven (7) calendar days of notification to the facility of DHS s determination, and an Application for Review must be filed within fourteen (14) calendar days of notification to the facility of DHS s determination. More information on the adjudication procedures is available in CFATS through Submission Schedule Initial Submission Facilities shall complete and submit a Top-Screen within 60 calendar days from the day that the facility comes into possession of any of the chemicals listed in Appendix A of CFATS at or above the STQ for any applicable security issue; or within the time frame provided in any written notification from DHS. A covered facility must complete and submit a SVA within 90 calendar days of written notification from DHS. 7 P a g e

8 A covered facility must complete and submit an ASP within 120 calendar days of written notification from DHS. Resubmission Schedule for Covered Facilities Tier 1 and Tier 2 covered facilities must complete and submit a new Top-Screen no less than two years, and no more than two years and 60 calendar days, from the date of DHS's approval of the facility's ASP; Tier 3 and Tier 4 covered facilities must complete and submit a new Top-Screen no less than 3 years, and no more than 3 years and 60 calendar days, from the date of DHS's approval of the facility's ASP. A covered facility must complete and submit a new SVA within 90 calendar days of written notification from DHS following a Top-Screen resubmission pursuant to (b). A covered facility must complete and submit a new ASP within 120 calendar days of written notification from DHS following a SVA resubmission. Material Modifications DHS response to a reviewer of the Proposed Rulemaking who asked for a definition of material modifications was: Material modifications can include a whole host of changes, and for that reason, the Department cannot provide an exhaustive list of material modifications. In general, though, DHS expects that material modifications would likely include changes at a facility to chemical holdings (including the presence of a new chemical, increased amount of an existing chemical, or the modified use of a given chemical) or to site physical configuration, which may (1) substantially increase the level of consequence should a terrorist attack or incident occur; (2) substantially increase a facility s vulnerabilities from those identified in the facility s Security Vulnerability Assessment; (3) substantially effect [sic] the information already provided in the facility s Top-Screen submission; or (4) substantially effect [sic] the measures contained in the facility s Site Security Plan. If a covered facility makes material modifications to its operations or site, the covered facility must complete and submit a revised Top-Screen to DHS within 60 days of the material modification. DHS will notify the covered facility as to whether the covered facility must submit a revised SVA, ASP, or both. The submission schedule for the revised SVA and/or ASP follows the Initial Submission schedule as described in the previous section. Requests for Redetermination If a covered facility previously determined to present a high level of security risk has materially altered its operations (including material modifications as described above), it may seek a 8 P a g e

9 redetermination by filing a Request for Redetermination, and may request a meeting regarding the Request. To facilitate the review of a Request for Redetermination, DHS suggests it would be helpful to: Submit a substantive description of the material modifications or alterations and provide supporting documentation explaining any significant change(s) in chemical(s) of interest possessed by the facility; Understand the difference between Section (b) (Requests for Redetermination) and Section (d) (revised Top-Screens) of the CFATS Rule (6 CFR Part 27) Consult the CFATS Knowledge Center FAQ #1557 for more information DHS must notify the facility of its decision on the Request for Redetermination within 45 days of the original request or within 45 days of any requested meeting regarding the Request. More on CFATS Tier Levels and Risk Based Performance Standards (See Appendix A3) Certain chemical facilities pose higher security risks than others due to the dynamic nature of the chemical industry, their processes, and other factors. Rather than apply a one-size-fits-all regulatory approach, DHS has established a risk-based approach that takes into account the varying levels of consequence, vulnerability, and threat that facilities present. This approach allows the facilities to establish an appropriate set of security measures commensurate with their specific risks. By establishing risk-based tiers, each facility will be able to select and implement security measures that are commensurate with the level of risk posed by that facility. The riskbased tier structure also allows DHS to prioritize its efforts on the highest risk facilities. As discussed above, CFATS requires chemical facilities to provide DHS with information to determine whether they present a high-risk and therefore are required to implement security measures that meet applicable risk-based performance standards (RBPSs). Based on an assessment of the information a facility submits to DHS, including information submitted through the CSAT Top-Screen, DHS will make an initial determination on whether the facility is considered high-risk. Facilities that are not considered high-risk are notified and are not required to comply further with CFATS (unless they are required to file new Top-Screens based on the acquisition or possession of new COI). For a facility that DHS initially determines to be high-risk, however, DHS will place the facility into one of four preliminary risk-based tiers ranging from Tier 1 (highest-risk) to Tier 4 (lower-risk). The Preliminary tier assignment is based largely upon consequence modeling at the facility. Facilities that are issued a preliminarily risk-based tier are then required to complete a CSAT SVA. The SVA collects more in-depth information about the facility, enabling DHS to assign the facility to the appropriate final risk tier. This in-depth information allows for the calculation of vulnerability, consequence and threat values (using data held by the Federal Government together with that submitted). DHS reviews the SVA to determine whether it continues to consider the facility to be high-risk, and if so, will issue the 9 P a g e

10 facility a final tier determination. The final tier determination drives the facility s selection of security measures in the facility's SSP necessary to satisfy the RBPSs. DHS s algorithm for evaluating risk and assigning tiers is classified, but the presence or quantity of a particular chemical of interest (COI) listed in Appendix A of CFATS is not the sole factor in determining a facility s tier, nor is it an indicator of a facility's eventual or continued coverage under the rule. DHS considers various factors in making both preliminary and final tiering determinations, including potential risk to human health and national security from a successful attack on the facility. To assist high-risk facilities in selecting and implementing appropriate protective measures and practices and to assist DHS personnel in consistently evaluating those measures and practices for purposes of CFATS, DHS s Infrastructure Security Compliance Division has developed the Risk- Based Performance Standards Guidance Document: This Guidance reflects DHS s current views on certain aspects of the RBPSs and does not establish legally enforceable requirements for facilities subject to CFATS or impose any burdens on the covered facilities. Further, the specific security measures and practices discussed in the document are neither mandatory nor necessarily the preferred solution for complying with the RBPSs. Rather, they are examples of measures and practices that a high-risk facility may choose to consider as part of its overall strategy to address the RBPSs. High-risk facility owners/operators have the ability to choose and implement other measures to meet the RBPSs based on the facility s circumstances, including its tier level, security issues and risks, physical and operating environments, and other appropriate factors, so long as DHS determines that the suite of measures implemented achieves the levels of performance established by the CFATS RBPSs. For more information on the RBPS Guidance Document or CFATS, contact DHS via the CFATS Help Desk either via at csat@hq.dhs.gov or by phone at Preparing for a CFATS Inspection and Compliance Assistance Request a Compliance Assistance Visit (CAV) The Department reaches out and offers Compliance Assistance Visits (CAVs) to CFATS covered facilities. The purpose of these visits is to provide in-depth knowledge of and assistance in complying with the CFATS regulation. To request a CAV, please send an with the following information to CFATS@hq.dhs.gov: 1. Point of contact name and preferred method of contact (e.g. phone number, address). 2. Facility ID. 10 P a g e

11 3. Company name. 4. Specific CFATS-related issue(s) of particular interest to the facility. 5. Identify the facility's preferred location for the CAV and specify whether or not this is a CAV to be held at the headquarters of a corporation with multiple CFATS-covered facilities. 6. Proposed date and time for the CAV. The Department will do its best to accommodate your request and will review and respond to each request within two weeks of its receipt. Decisions will depend on whether an appropriate Department representative is available. Authorization Inspections Authorization Inspections (AI) are conducted AFTER the facility has an authorized (or preliminarily approved) SSP or ASP. The sole objective of the authorization inspection is to confirm that the security measures actually in place or formally planned match the preliminarily approved SSP/ASP, which is now the facility s regulatory standard. A successful authorization inspection results in a letter of approval to operate under the now-approved SSP/ASP. Experience has shown that the pre-authorization inspections are less formal than the authorization inspections and may be conducted in a more collaborative atmosphere than the authorization inspections. However the preparation for each should follow a similar outline, and the principles during the conduct of the inspections are similar. Preparation Working with DHS Maintain a spirit of cooperation and collaboration to the extent possible. If DHS in inspecting the first of your company s facilities, consider proposing an initial Corporate Visit to cover common corporate processes (e.g., RBPS 12 Personnel Surety or RBPS 8 Cyber) Negotiate a mutually acceptable inspection date if the initial proposed date is unworkable for business reasons. Agree in advance on lines of communication formal requests and submissions should be through single points of contact from the facility and inspection team. Try to determine the most likely interviews, document requests and timing in advance. Personnel Designate a team and assign responsibilities (can combine roles depending on size/complexity of facility) o Spokesman o Escort(s) o Facilitator o Photographer o Document controller 11 P a g e

12 Make sure that all personnel communicating directly with DHS have Chemical-Terrorism Vulnerability Information (CVI) handling authorization be prepared to conduct on-thespot CVI on-line training if additional personnel are unexpectedly required to participate. Have key personnel on call during the inspection period. o Facility operations management/supervisors o Facility/corporate security o Cyber-security o Process control o Process/facility safety o Procurement/logistics At least one person should be familiar with the Risk Based Performance Standards as set forth in CFATS, as well as the Risk Based Performance Standards Guidance. Train team and participants to extent appropriate to their duties: o Interview basics o Managing document requests o Regulation overview and SSP/ASP content Site Security Plan/Alternate Security Plan Ensure that the plan accurately reflects what is on the ground. If security measures are in the process of being implemented, be able to show state of implementation and documented plans for completion. All security measures must be in place at the time of SSP/ASP authorization letter, except planned measures documented in the authorized SSP/ASP. Progress toward completion of planned measures must meet or exceed the schedule documented in the authorized SSP/ASP. Ensure that the plan includes procedures for temporary changes, especially notification of DHS and a capability to implement interim security measures as may be required. Documentation Make sure all DHS correspondence is kept in accordance with DHS CVI guidance. Confirm all processes, procedures and design specifications referenced in the SSP/ASP are available for viewing, and potentially for copying and retaining by DHS. Confirm facility has a framework and procedures to meet record keeping requirements as prescribed by Section of CFATS. Be prepared to mark all documents retained by DHS with appropriate CVI and company specific confidential designations. (e.g., training records extracted from your facility training database) Equipment Photocopy machine Camera/Video Stamps for confidential/privileged/trade secret information Logistics Plan DHS arrival arrangements (greet, safety briefing, credentials) 12 P a g e

13 Route for facility tour (audit the route prior to visit) Locations for interviews, joint meetings, team meetings, data review Lunch arrangements (Inspection team may want to have off-site working lunch) Ground Rules to Consider Inspectors to stay in designated areas Inspectors to be escorted at all times while outside designated areas o Ensure safety o Gain insight into priority topics Keep parallel documentation, including photos/videos o If possible, take photos per inspector requests (if they decline, take the same shots they do). o Review photos/videos for CVI, trade secret, business confidential information Employees allowed reasonable notice for interviews Adhere to interview basics o Listen carefully o Tell the truth o Provide facts based on first-hand knowledge o Don t speculate o Generally address question asked, without digression Follow a defined process for production of documents o Requests in writing o One authorized employee to manage Receive request Review document (for sensitivity) Maintain log and copies of produced documents Hand over document to designated inspector During the Inspection Following the Logistics Plan Comply with inspector requests Politely challenge and request an explanation for requests that may not be relevant Seek well-defined schedule early and often Process Review and Physical Walk Through Overview of all processes and flows of material, energy and personnel Explain the key safety hazards, and stress the safety features that prevent catastrophic events and mitigate consequences of accidents Note security systems in walk through Note layout, terrain and location-specific aspects that affect the safety and security of the facility Security Overview Describe protection philosophy (facility based, asset based, or combination) 13 P a g e

14 Describe major security components and how they work together (perimeters, access points, access control, screening, monitoring, response, threat escalation, reporting) Joint Daily Meetings Hold brief joint meetings at end of each day Ask about concerns Plan interviews, tasks for next day o Consider briefing to address concerns Exit Briefing Allow adequate time on last day (1 to 2 hours) Overview of retained documentation and images Opportunity to hear most important concerns Opportunity to lay groundwork for further dialogue Other Considerations Normal schedule is typically 8 to 5 daily for 3 to 5 days Inspection team will likely have working lunches off-site or separately from site team Team members are assigned one or more RBPSs this can lead to repeated questions and overlap since some security systems address multiple Standards Coverage of RBPS 8 Cyber may involve a conference call with a DHS cyber specialist 14 P a g e

15 A1. Definitions and Acronyms A Commercial Grade (ACG) shall refer to any quality or concentration of a chemical of interest offered for commercial sale that a facility uses, stores, manufactures, or ships. A Placarded Amount (APA) shall refer to the STQ for a sabotage and contamination chemical of interest, as calculated in accordance with (d). Alternative* Security Program or ASP shall mean a third-party or industry organization program, a local authority, state or Federal government program or any element or aspect thereof, that the Assistant Secretary has determined meets the requirements of this part and provides for an equivalent level of security to that established by this Part. [*Note that the CFATS regulation appears to use alternative and alternate interchangeably. While paragraph is titled Alternative Security Program, the text of and many other parts of the regulation use the term Alternate Security Program. This guidance will endeavor to use alternate throughout to represent both words.] Assistant Secretary shall mean the Assistant Secretary for Infrastructure Protection, Department of Homeland Security or his designee. Chemical Facility or facility shall mean any establishment that possesses or plans to possess, at any relevant point in time, a quantity of a chemical substance determined by the Secretary to be potentially dangerous or that meets other risk-related criteria identified by DHS. As used herein, the term chemical facility or facility shall also refer to the owner or operator of the chemical facility. Where multiple owners and/or operators function within a common infrastructure or within a single fenced area, the Assistant Secretary may determine that such owners and/or operators constitute a single chemical facility or multiple chemical facilities depending on the circumstances. Chemical of Interest shall refer to a chemical listed in appendix A to part 27. Chemical Security Assessment Tool or CSAT shall mean a suite of four applications, including User Registration, Top-Screen, Security Vulnerability Assessment, and Site Security Plan, through which DHS will collect and analyze key data from chemical facilities. Chemical-terrorism Vulnerability Information or CVI shall mean the information listed in (b). Coordinating Official shall mean the person (or his designee(s)) selected by the Assistant Secretary to ensure that the regulations are implemented in a uniform, impartial, and fair manner. Covered Facility or Covered Chemical Facility shall mean a chemical facility determined by the Assistant Secretary to present high levels of security risk, or a facility that the Assistant Secretary has determined is presumptively high risk under P a g e

16 CUM 100g shall refer to the cumulative STQ of 100 grams for designated theft/diversion- CW/CWP chemicals and which is located in appendix A to part 27 as the entry for the STQ and Minimum Concentration of certain theft/diversion-cw/cwp chemicals. Operator shall mean a person who has responsibility for the daily operations of a facility or facilities subject to this Part. Owner shall mean the person or entity that owns any facility subject to this Part. Present high levels of security risk and high risk shall refer to a chemical facility that, in the discretion of the Secretary of Homeland Security, presents a high risk of significant adverse consequences for human life or health, national security and/or critical economic assets if subjected to terrorist attack, compromise, infiltration, or exploitation. Risk profiles shall mean criteria identified by the Assistant Secretary for determining which chemical facilities will complete the Top-Screen or provide other risk assessment information. Screening Threshold Quantity or STQ shall mean the quantity of a chemical of interest, upon which the facility's obligation to complete and submit the CSAT Top-Screen is based. Secretary or Secretary of Homeland Security shall mean the Secretary of DHS of Homeland Security or any person, officer or entity within DHS to whom the Secretary's authority under section 550 is delegated. Security Issue shall refer to the type of risks associated with a given chemical. For purposes of this part, there are four main security issues: (1) Release (including toxic, flammable, and explosive); (2) Theft and diversion (including chemical weapons and chemical weapons precursors, weapons of mass effect, and explosives and improvised explosive device precursors), (3) Sabotage and contamination, and (4) Critical to government mission and national economy. Terrorist attack or terrorist incident shall mean any incident or attempt that constitutes terrorism or terrorist activity under 6 U.S.C. 101(15) or 18 U.S.C. 2331(5) or 8 U.S.C. 1182(a)(3)(B)(iii), including any incident or attempt that involves or would involve sabotage of chemical facilities or theft, misappropriation or misuse of a dangerous quantity of chemicals. Tier shall mean the risk level associated with a covered chemical facility and which is assigned to a facility by DHS. For purposes of this part, there are four risk-based tiers, ranging from highest risk at Tier 1 to lowest risk at Tier P a g e

17 Top-Screen shall mean an initial screening process designed by the Assistant Secretary through which chemical facilities provide information to DHS for use pursuant to of these regulations. 17 P a g e

18 A2. Alternate Security Program Template Following is an example of a format developed in cooperation with DHS that could be used as a template for completing and submitting an Alternate Security Program for CFATS compliance as provided in 6 CFR in lieu of a Site Security Plan. Under the CFATS rule, the Assistant Secretary for Infrastructure Protection may approve an ASP submitted by a covered facility upon determination that the ASP meets the requirements of the CFATS rule and provides for an equivalent level of security. However, this provision is facility-specific and only applies to a covered chemical facility after they have submitted and DHS has reviewed the facility s Top Screen and Security Vulnerability Assessment. ACC members choosing to use this ASP Template for meeting their compliance obligation under the CFATS rule should ensure that all the information contained herein is accurate and based on their own facility site specific security risks and vulnerabilities. ACC makes no claim of responsibility for the actions taken by an individual ACC member or otherwise. Guidance and instructions for the ASP Template are imbedded here: [PLACEHOLDER FOR IMBEDDED DOCUMENT] The ASP Template is imbedded here: [PLACEHOLDER FOR IMBEDDED DOCUMENT] 18 P a g e

19 A3. CFATS Risk-Based Performance Standards CFATS covered facilities must satisfy the 18 performance standards as identified in Part DHS has issued guidance on the use of these 18 performance standards to the risk-based tiers of covered facilities: Each covered facility must select and implement appropriately risk-based measures designed to satisfy the performance standards and include them in their Alternate Security Program. (1) Restrict Area Perimeter. Secure and monitor the perimeter of the facility; (2) Secure Site Assets. Secure and monitor restricted areas or potentially critical targets within the facility; (3) Screen and Control Access to the facility and to restricted areas within the facility by screening and/or inspecting individuals and vehicles as they enter, including, (i) Measures to deter the unauthorized introduction of dangerous substances and devices that may facilitate an attack or actions having serious negative consequences for the population surrounding the facility; and (ii) Measures implementing a regularly updated identification system that checks the identification of facility personnel and other persons seeking access to the facility and that discourages abuse through established disciplinary measures; (4) Deter, Detect, and Delay an attack, creating sufficient time between detection of an attack and the point at which the attack becomes successful, including measures to: (i) Deter vehicles from penetrating the facility perimeter, gaining unauthorized access to restricted areas or otherwise presenting a hazard to potentially critical targets; (ii) Deter attacks through visible, professional, well maintained security measures and systems, including security personnel, detection systems, barriers and barricades, and hardened or reduced value targets; (iii) Detect attacks at early stages, through countersurveillance, frustration of opportunity to observe potential targets, surveillance and sensing systems, and barriers and barricades; and (iv) Delay an attack for a sufficient period of time so to allow appropriate response through on-site security response, barriers and barricades, hardened targets, and wellcoordinated response planning; (5) Shipping, Receipt, and Storage. Secure and monitor the shipping, receipt, and storage of hazardous materials for the facility; 19 P a g e

20 (6) Theft and Diversion. Deter theft or diversion of potentially dangerous chemicals; (7) Sabotage. Deter insider sabotage; (8) Cyber. Deter cyber sabotage, including by preventing unauthorized onsite or remote access to critical process controls, such as Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), Process Control Systems (PCS), Industrial Control Systems (ICS), critical business system, and other sensitive computerized systems; (9) Response. Develop and exercise an emergency plan to respond to security incidents internally and with assistance of local law enforcement and first responders; (10) Monitoring. Maintain effective monitoring, communications and warning systems, including, (i) Measures designed to ensure that security systems and equipment are in good working order and inspected, tested, calibrated, and otherwise maintained; (ii) Measures designed to regularly test security systems, note deficiencies, correct for detected deficiencies, and record results so that they are available for inspection by DHS; and (iii) Measures to allow the facility to promptly identify and respond to security system and equipment failures or malfunctions; (11) Training. Ensure proper security training, exercises, and drills of facility personnel; (12) Personnel Surety. Perform appropriate background checks on and ensure appropriate credentials for facility personnel, and as appropriate, for unescorted visitors with access to restricted areas or critical assets, including, (i) Measures designed to verify and validate identity; (ii) Measures designed to check criminal history; (iii) Measures designed to verify and validate legal authorization to work; and (iv) Measures designed to identify people with terrorist ties; (13) Elevated Threats. Escalate the level of protective measures for periods of elevated threat; (14) Specific Threats, Vulnerabilities, or Risks. Address specific threats, vulnerabilities or risks identified by the Assistant Secretary for the particular facility at issue; (15) Reporting of Significant Security Incidents. Report significant security incidents to the Department and to local law enforcement officials; (16) Significant Security Incidents and Suspicious Activities. Identify, investigate, report, and maintain records of significant security incidents and suspicious activities in or near the site; 20 P a g e

21 (17) Officials and Organization. Establish official(s) and an organization responsible for security and for compliance with these standards; (18) Records. Maintain appropriate records, and [Note: 6 CFR contains an additional Risk Based Performance standard, as follows:] (19) Address any additional performance standards the Assistant Secretary may specify. As of this writing, there have been no additional performance standards specified by the Assistant Secretary. 21 P a g e

22 A4. CFATS Reference Links Background on Chemical Facility Anti-Terrorism Standards Identifying Facilities Covered by CFATS Appendix A: CFATS Final Rule, including List of Chemicals of Interest (PDF, 41 pages MB) Chemical-terrorism Vulnerability Information (CVI) Overview contains references covering most important aspects of CVI, including definition, disclosure, handling, sharing, training and certification. Chemical-terrorism Vulnerability Information Procedures Manual (PDF, 29 pages KB) Chemical Security Assessment Tool (CSAT) Overview contains references covering CSAT registration, CSAT account management, Top Screen, Security Vulnerability Assessment (SVA), Site Security Plan (SSP) and Risk Based Performance Standard (RBPS). CSAT Registration Overview CSAT User Registration User Guide (PDF, 31 pages MB) Risk for Chemical Facility Anti-Terrorism Standards an introduction to risk and risk-based performance standards Risk Based Performance Standards Guidance (PDF, 194 pages MB) 22 P a g e

23 Statutes and Regulations CFATS Interim Final Rule CFATS Interim Final Rule (alternate link leading to the Federal Register document) on=attachment&contenttype=pdf CFATS Final Rule with Appendix A (PDF, 41 pages MB) CFATS Appendix A only (PDF, 16 pages, 2 MB) The compiled CFATS regulation in the Electronic Code of Federal Regulations 0&idno=6 Chemical Security Laws and Regulations web site containing reference to the relevant statutes, regulations, notices and privacy impact assessments relevant to CFATS 23 P a g e