The following metrics show the maturation and growth of the CFATS program (6 CFR Part 27). Metrics noted under “Since Inception” include facilities that were tiered when the activity occurred, but subsequently determined to no longer be high-risk. Typical reasons for a change in high-risk status includes removal of chemicals of interest (COI), reduction of the quantity of COI onsite, replacement of the COI with a lower concentration COI, and/or facility sale or closure.
To date, CISA has received more than 93,000 Top-Screen submissions from more than 41,000 unique facilities. Of these, the CFATS program currently covers 3,322 facilities. These high-risk facilities are divided into four tiers, with Tier 1 facilities posing the highest security risk.
It is important to note that this regulatory program is cyclical in nature, meaning activities such as Compliance Inspections (CIs) are recurring. ISCD began conducting recurring CIs in March 2017.
* If an activity is canceled, it will be removed from the system. This may lead to a small change in the numbers we are reporting from month to month.
|Activity||Since Inception||July 2019|
|Authorization Inspections (AIs)||4,033||12|
|Compliance Inspections (CIs)||5,120||144|
|Compliance Assistance Visits (CAVs)||5,585||48|
Authorization Inspections (AIs): This metric shows the number of Authorization Inspections completed. Once a Letter of Authorization is issued, an AI is conducted at facilities to verify and validate that the content listed in the facility’s Site Security Plan (SSP) or Alternative Security Program (ASP) is accurate and complete, and that existing and planned equipment, processes, and procedures are appropriate and sufficient to meet the risk-based performance standards (RBPS) specified in the CFATS regulation. This inspection occurs prior to the final approval of the facility’s security plan.
Compliance Inspections (CIs): This metric shows the number of Compliance Inspections completed. A CI is conducted as part of the recurring inspection process after a Letter of Approval has been issued to ensure the facility continues to implement its approved security plan. CIs are conducted to ensure that existing and planned security measures identified within the SSP or ASP are appropriate and sufficient to meet the RBPS. CIs will typically occur every one to two years, or as needed.
Compliance Assistance Visits (CAVs): This metric shows the number of Compliance Assistance Visits completed. ISCD offers CAVs to CFATS-covered facilities and facilities of interest so that the facilities have an in-depth knowledge of how to meet the requirements of the CFATS regulation. These visits can perform various functions, such as assisting with determining COI reporting requirements, submitting or resubmitting a Top-Screen, developing an SSP or ASP, editing an SSP based on a change in security posture or tiering, or assistance in complying with any other part of the regulation.
CFATS Facility Statuses
Tiered Facilities: Once a facility has submitted a Top-Screen, CISA uses a risk methodology to determine if the facility is high-risk. This metric shows the number of high-risk facilities that are currently tiered, and are pending Authorizations and Approval.
Authorized Facilities: This metric shows the number of facilities that are currently authorized. Once a facility has submitted their security plan (SSP or ASP), a Letter of Authorization will be issued if the security measures appear to satisfy the applicable established risk-based performance standards (RBPS) requirements.
Approved Facilities: This metric shows the number of facilities that are currently approved. Once the facility’s security plan is approved and issued a Letter of Approval, the facility enters into a regulatory cycle of CIs.