Learn about whether your facility is covered by the Chemical Facility Anti-Terrorism Standards (CFATS) regulation and the steps on how to comply.
The CFATS regulation applies to any facility—from an individual to an establishment—that possesses any chemical of interest (COI) at or above the screening threshold quantity (STQ) listed in Appendix A.
If your facility is not statutorily excluded and possesses any Appendix A COI at or above STQ, you must report your chemical holdings to DHS through a Top-Screen. The purpose of CFATS is to ensure that any facility identified by DHS as high-risk following its submission of a Top-Screen has sufficient security measures in place to reduce the risks associated with its COI.
Chemical-terrorism Vulnerability Information (CVI)
Only CVI-certified individuals can access the CFATS-related applications. CVI ensures that information provided to DHS will be protected from public disclosure or misuse. Accordingly, DHS requires individuals in possession of CVI to safeguard it with equal care.
- Complete the CVI Training to become certified.
Register Your Facility for CSAT Access
The Chemical Security Assessment Tool (CSAT) is a secure, online portal that helps facilities maneuver through the CFATS process. The portal houses the CFATS-related applications.
- Register your facility for access to CSAT. After registering your facility, DHS will email you a user identification and password to access CSAT.
Submit a Top-Screen and Receive a Risk Determination
The Top-Screen is a survey that starts the reporting process. All facilities have 60 days from the time they come into possession of COI to submit a Top-Screen. DHS reviews your Top-Screen using a risk-based methodology to determine if your facility is “high-risk.” If you are deemed “high-risk”, you will also receive a Tier of 1, 2, 3, or 4, with Tier 1 being the highest risk.
- Submit a Top-Screen to DHS.
Complete an Assessment and Submit a Security Plan
Tiered facilities must submit a Security Vulnerability Assessment (SVA) and a Site Security Plan (SSP) or an Alternative Security Plan (ASP) that meet the CFATS Risk-Based Performance Standards (RBPS).
The CSAT SVA/SSP Instructions provide a question-by-question walk through of the SVA and SSP/ASP surveys.
The CFATS RBPS Guidance assists high-risk chemical facilities in selecting security measures and activities—perimeter security, access control, personnel security, cyber security, and more—that are tailored to the tier level and unique considerations of the facility.
- Login to CSAT to submit an SVA and a SSP/ASP.
Authorization and Authorization Inspection (AI)
Upon receipt of an SSP or ASP from your facility (but not an EAP SSP), the Department will review the documentation and make an initial determination as to whether it satisfies the requirements of the CFATS regulation. If the Department finds that the requirements are satisfied, your facility will receive a Letter of Authorization.
A DHS Inspector will then be in contact to schedule an Authorization Inspection (AI). The AI will verify the content listed in the security plan is accurate and that existing and planned measures satisfy the RBPS requirements.
Note: If the SSP/ASP does not meet RBPS requirements, your facility must address the deficiencies and resubmit the SSP/ASP by the specified date.
If the Department approves the SSP/ASP, your facility will receive a Letter of Approval and enter into the compliance cycle.
EAP SSP Acceptance
Tier 3 and 4 facilities also have the option of submitting an Expedited Approval Program SSP in lieu of an SSP or ASP. Your submission will be accepted if it is not found to be facially deficient. If accepted, your facility will not undergo the authorization process. Instead, you your facility will immediately enter into the compliance cycle.
DHS Inspectors will conduct reoccurring Compliance Inspections (CI) to ensure your facility continues to fully implement the approved security measures.
For more information regarding the CFATS program, please contact CFATS@hq.dhs.gov.