CISA Updates CFATS Landing Page – 5-20-20

Yesterday the Cybersecurity and Infrastructure Security Administration (CISA) updated the Chemical Facility Anti-Terrorism Standards (CFATS) landing page. No substantive changes were made, but some interesting language changes may provide some insight into the program.

Changes were made in two specific areas of the page, the opening paragraph and the ‘CFATS Overview’ section.

The opening description of the program now reads:

“CFATS is the nation’s first regulatory program focused specifically on security at high-risk chemical facilities. Managed by the Cybersecurity and Infrastructure Security Agency (CISA), the CFATS program identifies and regulates high-risk facilities to ensure they have security measures in place to reduce the risk that certain hazardous chemicals are weaponized by terrorists.”

The final sentence of that paragraph used to read: “The Cybersecurity and Infrastructure Security Agency (CISA) manages the CFATS program by working with facilities to ensure they have security measures in place to reduce the risks associated with certain hazardous chemicals and prevent them from being [emphasis added] weaponized by terrorists.

I think that CISA is trying to emphasize to certain House Democrats that the CFATS program is an anti-terrorism program not a chemical safety program. One of the problems holding up the reauthorization of this program (and it has been an ongoing problem with Congress since before the program was established) is that many Democrats see the CFATS program as a way to address chemical safety issues that the EPA and OSHA have not addressed. These include such things as emergency response planning, hazard communication with local neighbors, and reducing the use of hazardous chemicals. While the CFATS program does lightly (and legitimately) touch on these issues, it should not be the primary route for regulation in these areas.

The final change is an even more subtle change to the middle sentence in the ‘CFATS Overview’ section of the page:

“These facilities must report their chemical holdings chemicals to CISA via an online survey, known as a Top-Screen”

I believe that CISA is trying to ensure that potentially regulated facilities know that CISA understands the frequently transient nature of chemical inventories at many chemical facilities, especially in the specialty chemical manufacturing sector. Even though the DHS chemicals of interest (COI) may only be on site for relatively short periods of time (frequently just long enough for them to be consumed in the manufacture of some other, non-regulated chemical or object), the CFATS program requires notification to CISA. CISA expects facilities with such transient COI inventories to have security measures in place while they are present at the facility and site security plans need to reflect that.

Neither of these issues is new and CISA and its predecessor organization have made these ideas clear to the regulated community in a number of forums over the years. This is just a part of the ongoing effort at the Agency to ensure mission clarity. Fortunately, with CISA returning to including change dates on their web pages (for the CFATS program at least), our attention is called to these relatively minor changes on the web site. Without those date markings, few would have ever noticed the changes.