How CFATS Changed the Face of Chemical Facility Security

June 12, 2012

CFATS With the establishment of the federal Chemical Facility Anti-Terrorism Standards (CFATS) regulations, security is a matter of regulatory compliance for the chemical industry in the United States for the first time in history.

Even companies that have never placed a great focus on security must now take it extremely seriously, not only because of a particular threat or security risk, but also because of potential penalties from the Federal Government if they do not. The U.S. Department of Homeland Security has staffed up with additional manpower to aggressively enforce compliance with CFATS regulations.

In the first stage of CFATS implementation, the risk of all chemical facilities is evaluated based on an online assessment tool that surveys each facility's use of "chemicals of interest.” Based on the assessment, certain facilities are required to prepare Security Vulnerability Assessments and to develop and implement Site Security Plans, which include measures to address 18 published Risk-Based Performance Standards (RBPS).The standards are listed in a 194-page document covering requirements such as securing site assets, screening and controlling access, sabotage and dealing with specific threats, vulnerabilities or risks. Once the site security plan has been approved, the facility must implement the plan within a specified time period.

The CFATS rule also contains associated provisions addressing inspections, audits, record-keeping and the protection of chemical vulnerability information. Non-compliance can result in fines of $25,000 per day and closure of a facility.

Due to the risk-based nature of CFATS, companies have to use a great deal of their own judgment in order to comply with the 18 RBPS. The regulations require a level of performance to mitigate risks to chemical-based facilities, but they do not prescribe specific security measures to be used. In theory, the distinction creates an environment conducive to development of best practices. In reality, the vagueness of the requirements leaves uncertainty that could work against a facility trying in good faith to comply if its measures are judged ineffective or inadequate.

The role of the security vendor, including suppliers of security manpower, is now more important than ever for CFATS-regulated facilities. Many (if not most) of the tasks required by the regulation are performed by security vendors. Training of security officers as well as the quality of the overall security program is critical for these regulated sites, not only for security but for regulatory compliance.

DHS has not made things easy for the regulated sites as uncertainty about many aspects of the program is still rampant. Now, for the first time, not only do facilities have to answer for the effectiveness of their security measures, they will also be judged and assessed by an outside party – the government – with expensive consequences if they don't pass muster.

Carlos Barbosa, Vice President, Vertical Development, G4S Secure Solutions USA

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.