Cybersecurity and Infrastructure Security Agency Regulatory Guidance

The Cybersecurity and Infrastructure Security Agency (CISA) relies on guidance documents to express and disseminate its views, interpret statutory and regulatory provisions, and implement various programs. CISA has created this portal to provide information and access to all agency guidance documents on which the agency relies.

We note that many of these documents are also available on other locations on CISA's website, along with other information regarding CISA's programs.

We also note that guidance documents generally lack the force and effect of law, unless expressly authorized by statute or incorporated into a contract.

Chemical Security

These documents are the significant guidance documents for the Chemical Facility Anti-Terrorism Standards (CFATS) program.

CFATS Announcement

As of July 28, 2023, Congress has allowed the statutory authority for the Chemical Facility Anti-Terrorism Standards (CFATS) program (6 CFR Part 27) to expire.

Therefore, CISA cannot enforce compliance with the CFATS regulations at this time. This means that CISA will not require facilities to report their chemicals of interest or submit any information in CSAT, perform inspections, or provide CFATS compliance assistance, amongst other activities. CISA can no longer require facilities to implement their CFATS Site Security Plan or CFATS Alternative Security Program.

CISA encourages facilities to maintain security measures. CISA’s voluntary ChemLock resources are available on the ChemLock webpages.

If CFATS is reauthorized, CISA will follow up with facilities in the future. To reach us, please contact CFATS@hq.dhs.gov.

CFATS Advisory Opinion 2016-001: RBPS-12 Background Check Requirements for Legacy Employees

Date of Issuance/Revision: October 5, 2016
Date of publication on website: October 5, 2016
Document Identification Number: CISA-ADV-2016-001
General Topic: Chemical Facility Security Standards
Summary: The document interprets relevant regulations and concludes that background checks are required for all employees of covered chemical facilities with access to chemicals of interest (COI). It specifies that there is no exclusion or exemption for employees who had access to COI prior to the implementation of the CFATS regulations.

CFATS Advisory Opinion 2016-002: "A Commercial Grade" Interpretation

Date of Issuance/Revision: October 5, 2016
Date of publication on website: October 5, 2016
Document Identification Number: CISA-ADV-2016-002
General Topic: Chemical Facility Security Standards
Summary: The document is an advisory opinion that clarifies the term "A Commercial Grade" as used to determine whether a facility holds a COI at or above the screening threshold quantity (STQ) and concentration that must be reported to CISA pursuant to the CFATS regulations.

CFATS Advisory Opinion 2016-003: "Transportation Packaging" Interpretation

Date of Issuance/Revision: October 10, 2016
Date of publication on website: October 10, 2016
Document Identification Number: CISA-ADV-2016-003
General Topic: Chemical Facility Security Standards
Summary: The document is an advisory opinion that clarifies the term "Transportation Packaging" as used in the CFATS regulations. This advisory opinion contains the Agency's interpretation of the term as it is used in the CFATS regulations.

CFATS Advisory Opinion 2019-001: Top-Screen Reporting of Theft/Diversion EXP/IEDP Mixtures

Date of Issuance/Revision: October 5, 2019
Date of publication on website: October 5, 2019
Document Identification Number: CISA-ADV-2019-001
General Topic: Chemical Facility Security Standards
Summary: The document is an advisory opinion that explains the Department's interpretation of 6 CFR 27.204 and Appendix A to the CFATS regulation as requiring facilities to report possession of threshold quantities of theft/diversion mixtures of COI to CISA.

CFATS Advisory Opinion 2020-001: Hatcheries Not Eligible for Agricultural Extension Letter

Date of Issuance/Revision: July 24, 2015
Date of publication on website: February 13, 2020
Document Identification Number: CISA-ADV-2020-001
General Topic: Chemical Facility Security Standards
Summary: In July 2015, the Department of Homeland Security (DHS) clarified to the California Department of Fish and Wildlife that fisheries and hatcheries do not qualify for the agricultural facilities time extension issued by DHS in 73 FR 1640 (Jan 9, 2008). DHS published a redacted version of this letter to ensure that other fisheries and hatcheries properly report any threshold quantities of COI that they possess.

Safeguarding Information Designated as Chemical-Terrorism Vulnerability Information (CVI) Revised Procedural Manual

Date of Issuance/Revision: September 2008
Date of publication on website: September 2008
Document Identification Number: CISA-CFATS-001
General Topic: Chemical Facility Security Standards
Summary: The document, issued by CISA, describes in detail how to identify, handle, and safeguard information developed by private and public entities that meets the definition of CVI.

Risk-Based Performance Standards (RBPS) Guidance

Date of Issuance/Revision: May 2009
Date of publication on website: May 2009
Document Identification Number: CISA-CFATS-002
General Topic: Chemical Facility Security Standards
Summary: The document contains detailed information on how CISA construes the RBPS and how it evaluates facility compliance with those standards.

DHS Guidance for the Expedited Approval Program (EAP)

Date of Issuance/Revision: May 6, 2015
Date of publication on website: May 6, 2015
Document Identification Number: CISA-CFATS-003
General Topic: Chemical Facility Security Standards
Summary: The document contains specific steps facilities that choose to take part in the EAP should take if they wish to take advantage of the benefits of that program.

Policy for Assessing Civil Penalties under CFATS

Date of Issuance/Revision: June 7, 2017
Date of publication on website: June 7, 2017
Document Identification Number: CISA-CFATS-004
General Topic: Chemical Facility Security Standards
Summary: The document outlines the penalties and the procedures that CISA follows to assess civil penalties for chemical facilities found to be in violation of CFATS.

Chemical Security Assessment Tool (CSAT) Personnel Surety Program (PSP) Instructions

Date of Issuance/Revision: July 19, 2019
Date of publication on website: July 19, 2019
Document Identification Number: CISA-CFATS-005
General Topic: Chemical Facility Security Standards
Summary: The document contains detailed information on how to submit information for the PSP using the computerized tools, specifically CSAT provided by CISA.

CFATS Frequently Asked Questions (FAQs)

Date of Issuance/Revision: May 8, 2020
Date of publication on website: February 20, 2020
Document Identification Number: CISA-CFATS-006
General Topic: Chemical Facility Security Standards
Summary: The document contains the current FAQs for the CFATS Knowledge Center, which was taken offline with the lapse of CFATS authorities. These FAQs have been compiled by CISA in response to interactions with stakeholders in the course of their compliance with the CFATS program.

Clarification for Sodium Chlorate Contained in Specific Products

Date of Issuance/Revision: April 20, 2015
Date of publication on website: February 20, 2020
Document Identification Number: CISA-CFATS-007
General Topic: Chemical Facility Security Standards
Summary: The document is a letter that grants a time extension for facilities possessing certain sodium chlorate products to report those chemicals under the CFATS program.

Notice to Agricultural Facilities About Requirement To Complete Chemical Security Assessment Tool Top-Screen

Date of Issuance/Revision: January 9, 2008
Date of publication on website: February 20, 2020
Document Identification Number: CISA-FRN-001
General Topic: Chemical Facility Security Standards
Summary: In this Federal Register notice, DHS announced that it would not require certain agricultural facilities to submit a Top-Screen if it possessed only COI used for certain agricultural processes.

Clarification to Chemical Facility Anti-Terrorism Standards; Propane

Date of Issuance/Revision: March 21, 2008
Date of publication on website: February 20, 2020
Document Identification Number: CISA-FRN-002
General Topic: Chemical Facility Security Standards
Summary: In this Federal Register notice, DHS clarifies how the STQ and certain counting rule provisions apply to the COI propane.

Chemical Facility Anti-Terrorism Standards Personnel Surety Program

Date of Issuance/Revision: December 18, 2015
Date of publication on website: February 20, 2020
Document Identification Number: CISA-FRN-003
General Topic: Chemical Facility Security Standards
Summary: In this Federal Register notice, the DHS announced the implementation of the PSP, which enables regulated chemical facilities to ensure that individuals seeking unescorted access to restricted areas are screened for terrorist ties. This notice lays out the steps for facilities to take to enroll in the program and explains what information is required to participate.

Protected Critical Infrastructure Information (PCII)

Protected Critical Infrastructure Information (PCII) Program Procedures Manual

Date of Issuance/Revision: April 10, 2009
Date of publication on website: April 10, 2009
Document Identification Number: CISA-PCII-001
General Topic: Protected Critical Infrastructure Information
Summary: The document details the procedures for submitting PCII to the government, the scope of protections for the information, and detailed information about the roles and responsibilities of individuals and organizations within the PCII program.