May 7th, 2024 by Dakota Software Staff
Environment, health, and safety (EHS) managers are tasked with keeping their organization and its employees safe—and for those in the chemical manufacturing sector, this responsibility comes with a few extra compliance complexities. One of these complexities is chemical security, which, until July 27, 2023, had been regulated by the Chemical Facility Anti-Terrorism Standards (CFATS).
Considering its importance to safety, it was a bit of a surprise when CFATS was allowed to expire. Just because a regulation has lapsed, however, doesn’t mean the risks it addressed no longer pose a threat. Here we examine the past, present, and possible future of CFATS—and actions EHS professionals can take to keep their chemical facilities secure, regardless of regulatory fluctuations.
CFATS is a regulatory program created following the September 11, 2001, terrorist attacks to specifically address security at high-risk chemical facilities. The program was the first of its kind in the United States, and it is administered by the Cybersecurity and Infrastructure Security Agency (CISA), a division of the Department of Homeland Security (DHS).
CFATS is found in the Code of Federal Regulations (CFR) under 6 CFR Part 27, and numerous industries, organizations, and even individuals may be covered by the regulation under its definition of a “chemical facility.” A chemical facility is one that possesses (or plans to possess) any of the chemicals of interest (COI) listed in Appendix A of the regulation at or above the defined screening threshold quantity (STQ) and concentration. With more than 300 COI listed, facilities in a wide variety of industries are subject to CFATS, not just chemical manufacturing but also storage/distribution, energy, agriculture, labs (including those at colleges and universities), electronics, healthcare/pharmaceuticals, and many more.
COI are categorized under three potential security issues: release, theft or diversion, and sabotage. Any facility that meets or exceeds the STQ for a COI must report possession of the chemical(s) to CISA by completing a “Top-Screen” online survey via the Chemical Security Assessment Tool (CSAT). Upon review of the Top-Screen survey, CISA will determine whether a facility is high-risk. Those determined to be high-risk must develop security plans and implement security measures intended to reduce any risks associated with the COI located at the facility.
All provisions of CFATS became operative and in effect November 20, 2007. Since going into effect, CFATS was extended four times by Congress, with bipartisan support.
In the summer of 2023, however, Congress adjourned for summer recess without reauthorizing CFATS, leaving a gap in chemical security regulation and enforcement. Numerous organizations (including those that explicitly oppose overregulation of the chemical industry) have raised the alarm since, citing risks to security at the organizational and national levels. Those calling for swift reauthorization of CFATS include the National Association of Manufacturers (NAM), the American Chemical Society (ACS), and the American Chemistry Council (ACC).
CISA itself has drawn attention to the negative security impacts from the lapse of CFATS. Since CFATS officially expired as of July 28, 2023, CISA has been unable to:
Inspect high-risk chemical facilities (an average of 160 inspections per month);
Conduct terrorist vetting on personnel who have access to COI (an average of 9,000 names per month);
Identify new facilities that have come into possession of high-risk COI, leaving CISA and local first responders unaware of their location(s); and
Numerous other regulatory, advisory, and/or enforcement functions critical to chemical security.
The number of individuals potentially affected by the CFATS lapse is immense—CISA notes that before the expiration, 3,200 chemical facilities were designated as high-risk, and 89 million people nationwide live within two miles of such a facility. This is why CISA urges facilities to maintain their security measures despite the lapse, and will follow up with all facilities if CFATS is reauthorized.
And reauthorization indeed appears likely in the near future. The House of Representatives passed a bill for CFATS renewal with broad support prior to the expiration—it simply has not yet come up for a vote in the Senate, where CFATS also has broad support. And despite the lengthy delay, Inside EPA recently reported that fiscal year 2024 spending legislation includes money for the program even though it has yet to be officially renewed.
In short, both the support and the money for CFATS are there, and reauthorization is widely considered to be only a matter of time. And this is why EHS managers need to remain steadfast in their commitment to chemical security by continuing to follow good management practices (GMPs).
In the meantime, EHS leaders in any industry that may be covered by CFATS should take appropriate steps to mitigate chemical security risks. Here are a few considerations:
If your organization was covered by CFATS before the lapse, stay the course. Ensure that existing personnel, process, and transportation obligations are followed and that site leaders are adhering to GMPs for safeguarding their facilities. In short, carry on as if CFATS were still in effect.
If new chemicals have come into your operations since the lapse, get prepared for the return of CFATS. This is particularly true if any of these chemicals appear on the Appendix A list of COI. Be prepared to take the reporting survey upon reauthorization, and ensure that you develop and implement appropriate security plans and protocols.
Stay compliant with all other hazardous chemical regulations and GMPs. Ensure your Process Safety Management (PSM) programs are on track, and consider going beyond compliance with certification programs such as the ACC’s Responsible Care Management System (RCMS).
Regulatory requirements shift and evolve, but an EHS professional’s duty to safeguard the organization and its employees remains constant. Dakota Software helps you maintain this vigilance with tools tailored to your organization’s unique risks.
For chemical security related to CFATS, Dakota offers a special Security Assessment Module for no additional cost to Profiler and Auditor clients. Gain insight into chemical, facilities, and transportation security GMPs—as well as any other EHS compliance challenges facing your organization.
Profiler
Tracer
Auditor
Scout
Insights
Inspections
Metrics
