Skip navigation.

DHS Chemical Facility Anti-Terrorism Standards (CFATS) regulatory framework [interim rule 04/09/07]

The following text provides information on the Regulatory Framework for the Homeland Security (DHS) interim rule: Chemical Facility Anti-Terrorism Standards (CFATS) issued April 9, 2007. (Additional information on the interim rule is posted on this website at (LINK)

The Basic Regulatory Framework

The regulations set out a multi-step process through which affected facilities submit information and security plans for approval. These
steps are:

Step 1:
Each facility that has a “standard threshold quantity” (STQ) of a substance listed in Appendix A must execute and submit a top-screen survey electronically using the chemical security assessment tool (CSAT), the system DHS will use to collect and assess information. Facilities must submit the Top-Screen survey within 60 days of the final publication of the regulation, which will likely be in August 2007 (6 C.F.R. § § 27.200, 27.210) [published November 20, 2007].

Step 2:
Based on the information from the survey, DHS may make an initial determination that a facility should be placed in one of four risk tiers – with Tier 1 posing the highest risk – and will notify the facility of its risk tier. In the alternative, DHS may determine based on the survey that a particular facility is not “high risk” and is not subject to the regulations (6 C.F.R. § 27.205).

Step 3:
The facility submits a security vulnerability assessment (SVA) that characterizes assets, evaluates threats and risks and includes strategies for reducing the possibility and consequences of an attack. The SVA is completed using the risk analysis and management for critical asset protection system, or RAMCAP, and submitted through the CSAT system (6 C.F.R. § 27.215). SVAs must be submitted within 90 days of written notice from DHS or within the timeframe set out in a Federal Register notice (6 C.F.R. § 210).

Step 4:
Based on the top screen survey results and the SVA, DHS either confirms or alters its initial determination of the appropriate risk tier for the facility and notifies the facility (6 C.F.R. § 27.220).

Step 5:
The facility develops and implements a site security plan (SSP) that meets the risk-based performance standards for the facility’s risk tier (6 C.F.R. § 27.225). The regulations include a list of risk-based performance standards, such as restricting the perimeter of the facility, deterring attacks and preventing theft and sabotage (6 C.F.R. § 27.230). DHS plans to issue guidance on the application of the performance standards to the different risk tiers, and notes that the “acceptable layering of measures used to meet these standards will vary by risk-based tier.”Id. SSPs must be submitted through the CSAT system within 120 days of written notice from DHS or within the timeframe set out in a Federal Register notice (6 C.F.R. § 27.210).

Step 6:
DHS reviews and either approves or disapproves the SVA (6 C.F.R. § § 27.240, 27.245). The SSP approval
process involves two steps. First, DHS reviews the SSP and either issues a Letter of Authorization approving the plan or disapproves the plan. Second, once the written SSP is approved, DHS conducts a physical inspection of the facility for purposes of determining compliance with the regulations (6 C.F.R. § § 27.245, 27.250).

Step 7:
DHS may issue an order requiring a facility to comply with the regulations. If the facility violates an order, DHS may issue an order assessing civil penalty imposing penalties of up to $25,000 per day, or an order to cease operations, which would require the facility to close. A facility may appeal any order or the disapproval of an SSP. Appeals are heard by a “neutral” attorney at DHS who has not been involved in the investigation of the facility. The decision may then be appealed to the Under Secretary of DHS, and ultimately to a federal court.

Additional information on this topic is available on the DHS website at

Sorry, the comment form is closed.