The U.S. Department of Homeland Security (DHS) began notifying facilities regulated under the Chemical Facility Anti-Terrorism Standards (CFATS) of changes in their risk categorization, or “tiering,” last month. Covered facilities should take note, as the timeline for addressing the notice is short and DHS is expected to conduct follow-up inspections.
CFATS regulates “chemical facilities” in diverse industries, such as chemical manufacturing, storage and distribution; energy and utilities; agriculture and food; paints and coatings; explosives; mining; electronics; plastics; and healthcare. DHS screens all covered facilities, and if DHS deems a facility a “high-risk,” it assigns the facility to a risk tier that subjects the facility to a range of regulatory requirements.
A notice from DHS of a change in tier may require a regulated facility to prepare revised security measures and incorporate them into a new site security plan (SSP), which DHS must approve. Facilities have only 30 to 120 days to comply with the new requirements once notified. This action marks the first time DHS has conducted a wholesale review of all regulated facilities, and accordingly, many facilities will be affected by the outcome of the review.
If a facility receives a notification of tier change, five factors should be contemplated when planning for compliance:
- The facility might now be subject to CFATS for the first time. If the facility was never tiered before and now finds itself subject to CFATS, the owner/operator only has 120 days to meet the first regulatory requirement: submission of a security vulnerability analysis (SVA), SSP or alternate security plan (ASP). The facility owner/operator will need to understand the specific risks and threats DHS will want addressed, understand what security measures are already in place and identify gaps that will need to be filled so the facility will be in compliance.
- If the facility’s tier has changed, understand what that means. If a facility’s categorization changed, the owner/operator will need to understand the factors DHS has identified that will require attention. DHS will require facilities to account for each specific Chemical of Interest (COI) identified, specific security issues and all of the Risk Based Performance Standards (RBPSs) relevant to the new tier. New requirements will need to be incorporated into an SVA, SSP or ASP within 30 days of notification.
- A change in tier might not require action; no change may require action. Even if a facility’s categorization has changed (from Tier 1, 2, 3 or 4 to another tier), it may not be subject to any new requirements. The facility should check its SSP against the requirements for the new tier assignment. It is possible that the measures previously incorporated into the SSP will satisfy the requirements for the new tier. However, it is also possible that DHS identified new issues that must be addressed even though the issues were not cause for a tier change.
- If a facility’s SSP never received a final approval, changes may still need be necessary. If a facility’s SSP was authorized but not approved and the tier changed or new threats or issues were identified, the facility will need to identify changes that will be required to the SSP. When DHS inspectors come to thefacility prior to final approval, the changes will be discussed, specifically how they address the threats or issues identified and when full implementation will occur.
- DHS is ready to help but is also ready to inspect. DHS inspectors will be performing compliance inspections to verify that all changes required at a facility are being addressed in practice. If problems or issues will necessitate engagement or negotiations with DHS, owners/operators must be prepared with all the facts and options, to make a case to DHS as soon as possible.
Judah Prero is counsel at Sidley in the Environmental group where he focuses on chemical management laws and regulations, including the Toxic Substances Control Act, Chemical Facility Antiterrorism Standards, the Occupational Health and Safety Act and the Clean Air Act’s Risk Management Plan program.