ISCD Publishes CFATS Quarterly

I missed this last night because of problems with accessing the CFATS Knowledge Center, but on Monday the DHS Infrastructure Security Compliance Division published the latest version of their Chemical Facility Anti-Terrorism Standards (CFATS) Quarterly. The latest version provides information on the CSAT 2.0 tiering results, an overview of facility response requirements for a new tiering letter, and a brief reminder about annual CFATS audits.

Tiering Results

Not much new information provided in what is really just a summary of the recent webinars that ISCD held concerning the tiering results. The number of new Top Screens received has been raised to 12,000 and ISCD reports that they will be continuing to send out Top Screen notification letters for 18 months for the remaining 15,000 facilities that are on the list of facilities that have previously submitted Top Screens showing the presence of DHS chemicals of interest (COI) at or above the screening threshold quantity.

Tiering Letter Response Requirements

While ISCD did briefly discuss what a facility needs to do to respond to a new Tiering Letter during their webinar, the Quarterly provides a discussion that is a bit more detailed. It is still not a definitive discussion, but ‘definitive’ is not really possible given the wide variety of facilities and circumstances involved. The final paragraph provides the solution to the lack of a definitive answer:

“DHS will assess facilities on a case-by-case basis to ensure security measures are appropriate to their level of risk. You may reach out to your Chemical Security Inspector or Compliance Case Manager if you are unsure what specific steps to take.”

CFATS Audits

There is a brief sidebar at the bottom of the second page of the Quarterly that reminds facility security managers that every CFATS covered facility with an approved site security plan (SSP) is required {6 CFR 27.225(e)} to conduct an annual audit of their compliance with that SSP. The CFATS rule does not provide detailed guidance on what such an audit will include. This brief piece in the Quarterly provides the following suggestions:

· Verification of Top-Screen and SVA data, including ensuring COI information is current;

· Confirmation of all CSAT user roles;

· Confirmation of all existing and planned measures from the SSP/ASP; and

· Review of current policies, procedures, training, etc.

I briefly addressed this issue back in December 2014 and I still think that post provides a useful look at audit requirements. A formal audit summary document certainly needs to be prepared and it needs to be made available during any compliance inspection.