Following September 11, 2001, the American people became painfully aware of the devastation
that can result from the misuse of America’s resources. One such resource — the wide array of
potentially harmful chemicals used in American industry — drew the immediate attention of Congress because of the high potential for damage. But while the need for regulation was immediately apparent after 9/11, there was no clear consensus on the best manner by which to assure the security of our nation’s chemical facilities.

Initial legislation proposed shortly after 9/11 by then-Senator Jon Corzine (D-NJ) focused on encouraging the chemical industry to adopt inherently safer technology (IST), which involves analyzing processes with the goal of substituting less hazardous chemicals in place of existing, more
hazardous ones. The basic premise behind the proposed bill was that mandatory ISTs would require chemical operations to eliminate or reduce their stocks of hazardous chemicals to the point that the materials would no longer be attractive targets for terrorists. The Corzine bill was hotly contested by the chemical industry, which feared that mandatory ISTs could decrease the commercial viability of their processes and place a federal agency in the role of dictating manufacturing processes and second-guessing facility engineers. As a result of this struggle, no progress was made on regulating the safety of our chemical facilities until 2006, when a deal was struck that moved away from the IST approach.

On October 4, 2006, President Bush signed the Department of Homeland Security (DHS) Appropriations Act of 2007 (the “Act”), Section 550 of which provides DHS with the authority to regulate the security of chemical facilities that “present high levels of security risk.” Section 550 requires the Secretary of DHS to promulgate regulations establishing “risk-based” performance standards for chemical facilities. The Act broadly defines the term “chemical facility” as “any establishment that possesses, or plans to possess, at any relevant point in time, a quantity of a chemical substance determined by [DHS] to be potentially dangerous or that meets other risk-related criteria identified by [DHS].” DHS issued an interim final rule under Section 550 of the Act on April 9, 2007, and issued “Appendix A” to the rule in November of 2007. Together, these rules are now being implemented as the Chemical Facility Anti-Terrorism Standards (CFATS).

The process for determining whether a facility is subject to regulation under CFATS can be very complicated, as can compliance with the regulations for those chemical facilities found to be “high risk.” The following is a summary of how CFATS operates.

Chemical Facility Anti-Terrorism Standards

Pursuant to Section 550, Congress statutorily exempts from the reach of CFATS five categories of facilities: (i) facilities regulated under the Maritime Transportation Security Act; (ii) “public water systems” as defined under the Safe Drinking Water Act; (iii) facilities owned or operated by the Departments of Defense or Energy; (iv) facilities regulated by the Nuclear Regulatory Commission; and (v) wastewater “treatment works” under the Clean Water Act.

Non-exempt chemical facilities that may present “high levels of security risk” must complete a Web-based questionnaire called a Top-Screen, which is part of an overall process of collecting data under the Chemical Security Assessment Tool (CSAT). Appendix A lists more than 300 “chemicals of interest” (COIs) and sets a “screening threshold quantity” (STQ) for each chemical for each applicable type of “security issue.” There are seven security issues — three involve release of chemicals; three
involve theft or diversion; and one involves sabotage/contamination. If a facility possesses a COI at a level exceeding the STQ for that chemical, the facility will be required to submit a Top-Screen. The Top-Screen solicits information on security and preparedness issues relating to the at-issue chemical facility.

The DHS uses the Top-Screen results to determine whether a particular chemical facility is a “covered facility” that is subject to regulation. “Covered facility” is defined as “a chemical facility determined by [DHS] to present high levels of security risk, or a facility that [DHS] has determined is presumptively high risk.” Notably, the “presence or amount of a particular chemical listed in Appendix A is not the sole factor in determining whether a facility presents a high-level of security risk and is not an indicator of a facility’s coverage under [CFATS].” Rather, the regulations give DHS very broad discretion to consider any factors it believes relevant to determine the risk presented by each facility reviewed.

If DHS determines that a facility is covered by CFATS, DHS will notify the facility operator of the determination and place the facility in one of four risk-based tiers, with Tier I representing the highest-risk facilities and Tier IV the lowest. The covered facility must then conduct a security vulnerability assessment (SVA) via CSAT or using another DHS-approved methodology. Once DHS approves a facility’s SVA submission, the facility must develop a site security plan (SSP) and submit it through CSAT. The SSP must describe the facility’s security measures and explain how they address: (i) the vulnerabilities identified in the SVA; (ii) the applicable “potential modes of terrorist attack”; and (iii) the applicable “risk-based performance standards.” Depending on the covered facility’s tier, the facility must resubmit new Top-Screens, SVAs and SSPs every two to three years, or sooner if there is
a “material modification.”

Recognizing the diversity of chemical facilities in terms of size, location and type of operation, Section 550 adopts a risk- and performance-based approach. This means that DHS seeks a specific outcome, but does not direct the manner or means to achieve it, so DHS must look at the plan as a whole to determine whether the SSP satisfies the applicable risk-based performance standard. CFATS established the following 19 categories of risk-based security performance standards that may apply to a chemical facility, depending on the final tier decision following the facility’s SVA: restrict area perimeter; secure site assets; screen and control access; deter, detect and delay; shipping, receipt
and storage; theft and diversion; sabotage; cyber; response; monitoring; training; personnel surety; elevated threats; specific threats, vulnerabilities or risks; reporting of significant security incidents; significant security incidents and suspicious activities; officials and organization; records; and “any additional performance standards the [DHS] may specify.”

Section 550 adopts a risk- and performance based approach.

Once DHS approves a facility’s SSP, DHS must visit the facility to ensure compliance with the plan before issuing a Letter of Approval. If DHS finds a violation, it may issue to the facility an order to comply within a certain timeframe. Violation of such an order may result in a civil administrative penalty of up to $25,000 per violation. In extreme cases, DHS may also issue an order for the facility to cease operation until it complies with the order.

Covered facilities are also subject to DHS audits and inspections, as well as record-keeping requirements. Notably, chemical facility security information — such as SVAs, SSPs and inspection reports — is protected by law from unauthorized disclosure.

The Future of DHS Regulations Affecting Industry

As a result of Section 550’s broad definition of “chemical facility,” a wide range of industries may be affected by CFATS. In fact, DHS expects to identify between 5,000 and 8,000 chemical facilities as high-risk establishments required to comply with CFATS. Further, as the first regulation of its kind, CFATS will likely serve as a test case for similar security regulation programs being developed for
industries involved in “critical infrastructure,” which DHS loosely defines as “national infrastructures [that] are so vital that their incapacity or destruction would have a debilitating impact on the defense or economic security of the United States.” Obvious examples of critical infrastructure would be power generation, water supply systems or road construction. For these reasons, it is critically important that operations potentially subject to the CFATS, and those dealing with other critical infrastructure, understand how these rules are applied. Please contact a member of SGR’s Environmental Practice Group if you have questions about how CFATS may affect your business.