On July 28, 2023, the authorization for the Department of Homeland Security’s (DHS’s) Chemical Facility Anti-Terrorism Standards (CFATS) program, as codified in Title 6 of the Code of Federal Regulations Part 27 (6 CFR 27) was allowed to expire.
This means that facilities are not required to report their chemicals of interest (COI) or submit any information in DHS’s Chemical Security Assessment Tool (CSAT) and high-risk facilities are not required to perform inspections, provide CFATS compliance assistance, or otherwise meet the DHS Cybersecurity and Infrastructure Security Agency (CISA) requirements for this program.
Additionally, the authorization’s expiration means CISA can no longer require facilities to implement the Site Security Plan or Alternative Security Program, which are required by CFATS.
At TRC, we fully expect that CFATS will be reauthorized in the fall, but do not know when exactly this will happen. Our opinion is based on the following:
- The House of Representatives passed a bill to reauthorize CFATS for three more years with overwhelming support on July 22, 2023.
- Although there is also overwhelming support in the Senate, the reauthorization bill was not brought up for a vote before the July 28th expiration date.
- The American Chemistry Council (ACC), National Association of Chemical Distributors (NACD), and other industry trade groups support CFATS reauthorization and are urging their members to contact their senators to get CFATS reauthorized.
- The ACC stated “[t]he country lost an important tool in the fight against terrorism when the CFATS program was allowed to expire on July 27, 2023 . . . Congress must act quickly to reinstate CFATS to restore protections for chemical facilities, workers and communities across the country.”
- The NACD stated “CFATS is one of the most successful chemical security programs in existence and helps high-risk chemical facilities protect against terrorist attacks.”
- To not reauthorize CFATS is to leave the door open to those individuals and groups that would exploit this gap in the protection of critical infrastructure and to compromise national security.
Until Congress reauthorizes CFATS, TRC recommends that firms continue to follow CISA’s requests:
- Facilities that have been tiered as high-risk chemical facilities should continue implementing and managing their security programs as they were doing; and
- Any new facility meeting the criteria for the COI they handle should be ready to comply with the regulations (e.g., be ready to obtain CVI training, register on CSAT and submit the Top Screen Security Survey for their facility via CSAT).
Next Steps: TRC Can Help
It is important to keep up to date with your compliance program to avoid adverse impacts when CFATS is reauthorized. In addition to following regulatory developments, TRC can help you protect your facilities and operations with guidance on best approaches for securing your chemicals of interest. CFATS is a performance-based program and there are multiple security strategies that should be considered to find the optimum one for your facility.
Our team can also support the development various CFATS compliance documents from Top Screen, SVA/SSPs, Compliance Checklists and Security and Emergency Management Plans. We develop security designs and standards, support Authorization Inspections and other compliance activities; develop and deliver customized security training modules specific to your team and facility; develop standard operating procedures and policies to protect chemicals and to comply with CFATS (including personal surety/background checks, inventory controls, etc.); and general security support.
If you have any questions about CFATS and/or its reauthorization, or you need assistance securing your facilities and your people, please do not hesitate to contact one of the following TRC security professionals below.
Gain
Peace-of-Mind
Partner With TRC’s Tested Practitioners
Sharing Our Perspectives
Our practitioners share their insights and perspectives on the trends and challenges shaping the market.
CFATS Program Expires but Reauthorization Anticipated this Fall
September 6, 2023
Regulated organizations should continue to follow DHS cybersecurity requirements.
NERC Recommends Approaches for Underfrequency Load Shedding Programs
February 24, 2022
In a recently released reliability guideline, NERC recommends additional approaches for Underfrequency Load Shedding (UFLS) program design to help utilities effectively consider the effects of Distributed Energy Resources (DERs). The guidance was developed to address the accelerated transition of the power system to locally installed, decarbonized resources that depend on inverters. These new technologies introduce operational controls issues into the electric grid. UFLS data gathering and analysis methodologies may require modification to address reliability risks.
NERC and FERC Recommend Protection System Commissioning Improvements
January 18, 2022
Between 18 and 36 percent of reported utility misoperations were attributed to issues that could have been detected through a properly implemented PSC.
FERC & NERC Issue Joint Report on Freeze Reliability Failures
December 15, 2021
The in-depth report outlines twenty-eight recommendations to address freeze reliability failures, including operating practices and recommendations for NERC standards modifications surrounding generator winterization and gas-electric coordination.
NERC Accelerates Additional Cold Weather Standards Changes
November 22, 2021
At its November 2021 meeting, NERC’s Board of Trustees took aggressive action to advance critical cold weather Reliability Standards. Most notably, the group approved the 2022-2024 Reliability Standards Development Plan, which prioritizes standards projects for the coming years including a resolution to include new cold weather operations, preparedness and coordination standards as high priority development projects.
New Potential Compliance Standards Identified at FERC Technical Conference on Reliability
October 18, 2021
With a focus on the reliability impact of extreme weather and the shortcomings of current system planning approaches, both NERC and FERC conference participants opened the door to potential forthcoming compliance standard enhancements or changes.
Summary of NERC CIP Standards Updates
June 29, 2020
FERC has released a notice of inquiry seeking comments on potential enhancements to NERC’s Critical Infrastructure Protection (CIP) Reliability Standards.
NERC Reliability Report Prioritizes Power System Security Risks for Action
January 2, 2020
NERC’s 2019 ERO Reliability Risk Priorities Report identified and prioritized the major risks facing the utility industry with a particular focus on security issues.
Hardening Cyber Defenses at Chemical Facilities a Key Part of Federal CFATS Regulations
October 24, 2017
Federal CFATS regulations cover more than just the handling, transport and storage of dangerous chemicals. They also deal with tools and methods terrorists could use to acquire the deadly agents – such as a cyber attack.
NERC CIP-013-1 Standard for Supply Chain Risk Management
September 29, 2017
NERC has filed mandatory standard CIP-013-1 for supply chain risk management, requiring controls to mitigate cyber threats and their impact to the reliable operation of the Bulk Electric System.
