Report a Chemical Facility Anti-Terrorism Standards (CFATS) Violation

CFATS Announcement

As of July 28, 2023, Congress has allowed the statutory authority for the Chemical Facility Anti-Terrorism Standards (CFATS) program (6 CFR Part 27) to expire.

Therefore, CISA cannot enforce compliance with the CFATS regulations at this time. This means that CISA will not require facilities to report their chemicals of interest or submit any information in CSAT, perform inspections, or provide CFATS compliance assistance, amongst other activities. CISA can no longer require facilities to implement their CFATS Site Security Plan or CFATS Alternative Security Program.

CISA encourages facilities to maintain security measures. CISA’s voluntary ChemLock resources are available on the ChemLock webpages.

If CFATS is reauthorized, CISA will follow up with facilities in the future. To reach us, please contact CFATS@hq.dhs.gov.

Chemical security is a shared responsibility among chemical facility owners, operators, and employees; the communities that surround these facilities; and federal, state, and local government officials.

Chemical facilities that are determined to be "high-risk" must follow the Chemical Facility Anti-Terrorism Standards (CFATS) regulation (6 CFR Part 27) and implement security measures that reduce the risks associated with chemicals of interest (COI).

Individuals and employees may report a potential CFATS violation to the Cybersecurity and Infrastructure Security Agency (CISA). Chemical facilities of interest are prohibited by law from retaliating against an employee for reporting a potential CFATS violation.

Potential CFATS violations may include, but are not limited to:

How To Report a CFATS Violation

To submit a report to the Agency regarding a potential CFATS violation, contact the CFATS Chemical Facility Security Tip Line, 877-394-4347 (877-FYI 4 DHS), or email CFATSTips@hq.dhs.gov.

Individuals may also report violations via mail to:

Chemical Security, Associate Director

CISA — CHR STOP 0609

Cybersecurity and Infrastructure Security Agency

1310 N. Courthouse Rd.

Arlington, VA 20598-0609

Call 9-1-1 or contact your local FBI field office if the incident is a security emergency or terrorist incident. If a security incident may already have occurred, contact CISA Central at Central@cisa.dhs.gov.

What To Include in the Report

If possible, please include the facility name, address or location, facility contact information, and specific security concern in the report. CISA will review and consider the information provided, and take action, as appropriate.

CISA encourages anyone reporting a potential violation to identify themself when making a report. This will allow CISA to acknowledge receipt of the information and facilitates the review of the violation.

For anonymous reports, please provide a detailed description of the nature of the potential violation, including, where possible, names and dates.

Whistleblower Confidentiality

CISA is committed to protecting whistleblower confidentiality. The identity of the reporting individual will be kept confidential, unless disclosure is unavoidable or is compelled by a court order. In these instances, CISA will attempt to contact the whistleblower to inform them of the communication.

CISA will accept violations reported anonymously; however, in such instances, the Agency will be unable to provide acknowledgement of receipt of the information. Additionally, such reports can pose challenges as CISA cannot contact an anonymous reporter to obtain additional information.