Chemical Facility Anti-Terrorism Standards (CFATS) Expedited Approval Program (EAP)

CFATS Announcement

As of July 28, 2023, Congress has allowed the statutory authority for the Chemical Facility Anti-Terrorism Standards (CFATS) program (6 CFR Part 27) to expire.

Therefore, CISA cannot enforce compliance with the CFATS regulations at this time. This means that CISA will not require facilities to report their chemicals of interest or submit any information in CSAT, perform inspections, or provide CFATS compliance assistance, amongst other activities. CISA can no longer require facilities to implement their CFATS Site Security Plan or CFATS Alternative Security Program.

CISA encourages facilities to maintain security measures. CISA’s voluntary ChemLock resources are available on the ChemLock webpages.

If CFATS is reauthorized, CISA will follow up with facilities in the future. To reach us, please contact CFATS@hq.dhs.gov.

The Chemical Facility Anti-Terrorism Standards (CFATS) Expedited Approval Program (EAP) is an optional process that Tier 3 and Tier 4 high-risk chemical facilities can choose to submit their Site Security Plan (SSP) for approval from CISA to bypass the pre-approval authorization and Authorization Inspection step in the CFATS process. Facilities with an approved EAP SSP enter directly into the CFATS regulatory cycle.

EAP Overview

The Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014 ("CFATS Act of 2014"), Public Law 113-254 (6 U.S.C. § 621, et seq.), established the Expedited Approval Program (EAP), and directed the Department of Homeland Security (DHS) to issue prescriptive guidance that "identifies specific security measures that are sufficient to meet the risk-based performance standards" for facilities that choose to submit an SSP pursuant to the EAP. See 6 U.S.C § 622(c)(4)(B)(i).

Along with the EAP SSP, the facility must submit a certification (see below) that certifies the owner or operator has visited, examined, documented, and verified that the facility meets the criteria in the SSP. See 6 U.S.C. § 622(c)(4)(C).

DHS Guidance for EAP

The DHS Guidance for the Expedited Approval Program provides Tier 3 and Tier 4 covered chemical facilities with a better understanding of security measures that could be used to meet the Risk-Based Performance Standards (RBPS), and helps identify and select processes, measures, and activities they may choose to implement in order to secure and monitor their facilities. The prescriptive measures contained in the Guidance are intended to apply specifically to facilities that elect to participate in the EAP.

Note: The security posture of facilities submitting a security plan (SSP or Alternative Security Program [ASP]) through the regular, nonprescriptive CFATS process will continue to be evaluated against the RBPS in a holistic fashion.

Certification Under Penalty of Perjury

The certification is a document that is signed under penalty of perjury by the owner or operator of an expedited approval facility and submitted with the EAP SSP that certifies compliance with all of the requirements contained in 6 U.S.C. § 622(c)(4)(C).

Participation in the EAP

A facility that elects to submit an SSP under the EAP must notify CISA of its intention to do so at least 30 days prior to submitting the SSP and certification via the Agency's Chemical Security Assessment Tool (CSAT), or via a letter sent to:

Chemical Security, Associate Director

CISA — CHR STOP 0609

Cybersecurity and Infrastructure Security Agency

1310 N. Courthouse Rd.

Arlington, VA 20598-0609

All Tier 3 and Tier 4 facilities that choose to use the EAP to submit an SSP must include security measures that cover all of the RBPS. The security measures within the EAP SSP must either be existing security measures or planned measures with a clear timeline for implementation not to exceed twelve (12) months from date of the approval. See 6 U.S.C. § 622(c)(4)(C)(v).

If a facility uses a security measure that materially deviates from a measure specified in the Guidance, then the facility's SSP must identify the deviation for the specific security measure and explain how the new measure meets the relevant RBPS. See 6 U.S.C. § 622(c)(4)(B)(ii).

Additional Information

Visit the CFATS Knowledge Center for an online repository of FAQs, articles, and the latest news on the CFATS program.

Contact Information

For further questions about the EAP, please contact CFATS@hq.dhs.gov.