Defining Chemical-Terrorism Vulnerability Information (CVI)
CFATS Announcement
As of July 28, 2023, Congress has allowed the statutory authority for the Chemical Facility Anti-Terrorism Standards (CFATS) program (6 CFR Part 27) to expire.
Therefore, CISA cannot enforce compliance with the CFATS regulations at this time. This means that CISA will not require facilities to report their chemicals of interest or submit any information in CSAT, perform inspections, or provide CFATS compliance assistance, amongst other activities. CISA can no longer require facilities to implement their CFATS Site Security Plan or CFATS Alternative Security Program.
CISA encourages facilities to maintain security measures. CISA’s voluntary ChemLock resources are available on the ChemLock webpages.
If CFATS is reauthorized, CISA will follow up with facilities in the future. To reach us, please contact CFATS@hq.dhs.gov.
The Homeland Security Appropriations Act of 2007, Pub. L. No. 109-295 directed the Department to protect any information developed or submitted under Section 550 of the Act from inappropriate public disclosure. This includes information that is developed and/or submitted to CISA under the Chemical Facility Anti-Terrorism Standards (CFATS) regulation (6 CFR Part 27). In 2014, Congress reauthorized and amended CFATS through the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014, Pub. L. No. 113-254.
A covered person is an individual who has a need to know CVI or someone who gains access to what they know to be or reasonably know to constitute CVI.
CVI Specifications
The following information (whether written, verbal, electronic, digital, or otherwise) is specified in 6 CFR § 27.400(b)(1) to (9) as CVI:
Security Vulnerability Assessment (SVAs)
Security Vulnerability Assessment (SVAs) under 6 CFR § 27.215
Site Security Plan (SSPs)
Site Security Plan (SSPs) under 6 CFR § 27.225
Documents Related to SVA and SSP Reviews
Documents relating to the Agency's review and approval of SVA and SSP, including Letters of Authorization, Letters of Approval, and responses thereto; written notices; and other documents developed pursuant to 6 CFR §§ 27.240 or 27.245.
Alternative Security Program (ASPs)
Alternative Security Program (ASPs) under 6 CFR § 27.235.
CFATS Covered Facilities and Inspections
Documents relating to inspections or audits under 6 CFR § 27.250.
Records Required to be Created or Retained
Any records required to be created or retained by a covered facility under 6 CFR § 27.255.
Sensitive Portions of Orders, Notices, or Letters
Sensitive portions of orders, notices, or letters under 6 CFR § 27.300.
Information Regarding Security Risk for a Chemical Facility
Information developed pursuant to 6 CFR §§ 27.200 or 27.205 (such as the CSAT Top-Screen and the determination by the Assistant Director that a chemical facility presents a high level of security risk).
Any Other Similar Information
Other information developed for chemical facility security purposes that the Secretary, in his discretion, determines is similar to the information protected in 6 CFR § 27.400(b)(1) through (8).
The process for a facility to seek designation of CVI under 6 CFR § 27.400(b)(9) is described in Section 5.3 of the Revised CVI Procedures Manual.
Disclosure of CVI
How to safeguard and share CVI.
Handling CVI
Materials containing CVI must be physically controlled and protected, appropriately designated, and withheld from public disclosure.
Evaluating Need to Know CVI
How to evaluate a need to know CVI.
CVI Authorized User Training
Complete CVI Authorized User training.
Reporting CVI Incidents
How to report CVI incidents.
Contact Information
If you have any questions about whether something is CVI or need technical assistance, contact the Chemical Security Assessment Tool (CSAT) Help Desk at 866-323-2957 Monday through Friday (except federal holidays) from 8:30 a.m. to 5 p.m. (ET) or via email at CSAT@hq.dhs.gov.