Chemical Security Assessment Tool (CSAT) Site Security Plan (SSP) Submission Tips

CFATS Announcement

As of July 28, 2023, Congress has allowed the statutory authority for the Chemical Facility Anti-Terrorism Standards (CFATS) program (6 CFR Part 27) to expire.

Therefore, CISA cannot enforce compliance with the CFATS regulations at this time. This means that CISA will not require facilities to report their chemicals of interest or submit any information in CSAT, perform inspections, or provide CFATS compliance assistance, amongst other activities. CISA can no longer require facilities to implement their CFATS Site Security Plan or CFATS Alternative Security Program.

CISA encourages facilities to maintain security measures. CISA’s voluntary ChemLock resources are available on the ChemLock webpages.

If CFATS is reauthorized, CISA will follow up with facilities in the future. To reach us, please contact CFATS@hq.dhs.gov.

The Cybersecurity and Infrastructure Security Agency (CISA) has reviewed thousands of Site Security Plans (SSPs) and Alternative Security Programs (ASPs) submitted by high-risk chemical facilities under the Chemical Facility Anti-Terrorism Standards (CFATS) regulation. Based on these reviews, CISA has identified helpful hints to assist with completing your SSP as part of the authorization and approval process.

Consider What Security Measures to Address

Take a holistic approach. Think about the type of security measures your facility requires for its particular security concerns and tier. Generally, your facility's security measures, which address the CFATS Risk-Based Performance Standards (RBPS), will fall within one of the following overarching security objectives:

  • Detection. This may include considering measures such as the level of monitoring needed for the facility's tier and security concern; taking into account the chemicals of interest (COI) state, packaging type, and mitigation measures in place; and considering whether this includes personnel, closed-circuit television systems or intrusion detection systems (CCTV/IDS), or a combination of both.

Learn More about RBPS 1-7 — Detection and Delay

  • Delay. When implementing delay security measures, a facility may consider whether a single layer or multiple layers of barriers are appropriate; if the facility ships or sells COI and what protections are in place for these processes; how the facility maintains access control measures; and the standoff distance for release chemicals.

Learn more about RBPS 1-7 — Detection and Delay

  • Response. This includes maintaining a Crisis Management Plan or similar document that includes security response and both elevated and imminent threat plans, as well as conducting outreach with local law enforcement or participating in a Local Emergency Planning Committee (LEPC) to increase a facility's preparedness and ensure appropriate response capabilities.

Learn more about RBPS 9 — Response

  • Cyber. In addition to physical security measures, identifying and ensuring appropriate cybersecurity measures is critical to a holistic approach, especially if a COI is integrated with any cyber control, physical (CCTV/IDS), or business systems (inventory management).

Learn more about RBPS 8 — Cyber

  • Security Management. Measures to support security management include maintaining a Security Awareness Training Program, inspection and maintenance programs, recordkeeping, establishing a security organization, incident reporting and investigations, inventory procedures, and vetting facility personnel and unescorted visitors with access to restricted areas and critical assets.

Learn more about RBPS 10 — Monitoring

Learn more about RBPS 11 — Training

Learn more about RBPS 12 — Personnel Surety

Learn more about RBPS 15-16 — Significant Security Incidents

Learn more about RBPS 18 — Records

Detail Current Security Measures

Be as detailed as possible. The text boxes in the Chemical Security Assessment Tool (CSAT) SSP application have been included so that facilities can more fully describe current security measures, including how the measures address the relevant RBPS. The better CISA can conceptualize and understand your approach to security measures, the better we can evaluate whether they meet the applicable RBPSs.

Don't overlook safety and environmental measures already in place that contribute to security. You've invested in them. They may reduce the likelihood of a release or theft of COI, so you should consider including them in your SSP. For example:

  • Emergency response plans, training drills, and exercises that are applicable regardless of whether a release is accidental or intentional.
  • Product stewardship, "know-your-customer," and other programs to ensure the right materials get to the right customer may also help you identify attempted product diversions.
  • Process safety layers of protection that not only prevent accidents but may also create barriers to prevent a terrorist from accessing a COI.
  • Gas detection systems that would trigger an alarm in response to any release—accidental or intentional.

Describe Planned Security Measures

Describe planned measures the facility has committed to implement. A planned measure section in your security plan can be used to describe security measures that your facility will be implementing but has not implemented at the time the SSP is submitted.

  • CISA will consider planned measures when evaluating the SSP. During the authorization inspection, the facility should be prepared to provide documentation describing the timetable for implementing planned measures.
  • Documentation may include evidence that the planned measure is in the process of being installed or implemented, such as detailed designs accompanied by an approved or documented capital budget or preparation for/completed bid process for installation.

Specify Facility-Wide or Asset-Specific Measures

Make clear whether a security measure is applied facility-wide or just to a specific asset. CFATS requires that the COI are protected for the security issue and at the appropriate tier as identified in your tiering notification letter from CISA.

As an example, see the figure below that shows the three acceptable strategies for appropriately protecting Tier 1 asset and Tier 4 assets in a single facility.

  1. The facility could secure the entire facility at the Tier 1 level.
  2. Alternatively, the facility could secure the entire facility at a Tier 4 level and add additional security around the Tier 1 asset to secure it at the higher level.
  3. Another option is for the facility to secure the Tier 1 asset at a Tier 1 level, secure the Tier 4 asset at the Tier 4 level and have limited physical security measures for the facility as a whole.

Overall, most facilities implement a mixture of facility-wide and asset-specific measures.

Figure showing three acceptable strategies for security Tier 1 and Tier 4 facility assets. The first example has hardened security around the entire facility. The second has moderate security at the perimeter and hardened security for the Tier 1 facility asset. The third example has some security at the perimter, hardened security for the Tier 1 asset, and moderate security for the Tier 4 asset.

Contact Information

For questions, please send an email to CFATS@hq.dhs.gov.

For technical assistance with CSAT, please call the CSAT Help Desk at 866-323-2957 Monday through Friday (except federal holidays) from 8:30 a.m. to 5 p.m. (ET).