Thursday, April 4, 2024


While the Chemical Facility Anti-Terrorism Standards (CFATS) program was terminated by Senate inaction last summer, the Cybersecurity and Infrastructure Security Agency (CISA) has faith that Congress will be reauthorizing the program. This is reflected in today’s publication of the “Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements” notice of proposed rulemaking. The CFATS program is a fundamental part of the implementation of the CIRCIA reporting rule.

CISA is proposing as part of their definition of the term ‘covered entity’ relies on sector based criteria found in their proposed §226.2(b). The first such criteria, listed in paragraph (1) is:

“(1) Owns or operates a covered chemical facility. The entity owns or operates a covered chemical facility subject to the Chemical Facility Anti-Terrorism Standards pursuant to 6 CFR part 27;”

In the preamble discussion for this sector based definition CISA acknowledges in footnote 207 that there is a possibility that the CFATS program might not be reauthorized in time for the publication of the final rule, noting that:

“CISA is aware that, at the time of publication of this NPRM, Congress has allowed statutory authority for the CFATS program to expire. CISA believes that by the time the CIRCIA final rule is issued, CFATS will be reauthorized by Congress. Should CFATS not be reauthorized by the time the CIRCIA final rule is ready for publication, CISA proposes to replace [link added] the proposed CFATS-based Chemical Sector criterion in this NPRM with an alternate Chemical Sector criterion focused on owners and operators of facilities regulated by the Environmental Protection Agency (EPA) under its Risk Management Program (RMP) regulations.”

I will be covering this issue in more depth when I discuss the ‘covered entity’ portion of the NPRM in future blog posts.

No comments:

/* Use this with templates/template-twocol.html */