CFATS Update The Pre-Authorization and Authorization Inspections -- Security Today

CFATS Update The Pre-Authorization and Authorization Inspections

By Carlos Barbosa
Nov 29, 2011

In October 2006, the Department of Homeland Security Appropriations Act of 2007 became law. Section 550 of the Act ordered the Department of Homeland Security (DHS) to “...issue interim final regulations establishing risk‐based performance standards for security of chemical facilities and requiring security vulnerability assessments and the development and implementation of site security plans for chemical facilities.” Those regulations became known as the Chemical Facility Anti‐Terrorism Standards, or CFATS, and apply to “high‐risk” facilities that possess certain quantities and concentrations of chemicals.

As of July 2011, DHS has classified approximately 99 facilities as Tier 1, or highest risk, 502 facilities as final Tier 2, 1,155 facilities as final Tier 3 and 2,195 facilities as final Tier 4 facilities with the lowest risk.

In 2009, all identified facilities were required to file a Site Security Plan (SSP) with DHS via a web‐based tool called the Chemical Security Assessment Tool (CSAT). However, once DHS received and started processing SSPs, it became evident that the CSAT did not require a sufficient amount of detailed security information for DHS to fully understand each facility’s security posture.

Washington, We Have a Problem...
The way the CSAT was designed, the SSP only required facilities to respond yes or no to questions such as, “Does the facility have an emergency management team available?” and “Does the facility use the CCTV camera feature?” More detail was needed since the credibility and practicality of the regulation depended on how DHS gathered, analyzed and evaluated the required information from the industry. At that moment, DHS was at a crossroads and needed to take action. On one hand, the agency could have started from scratch and reconfigured the CSAT completely. However, those individuals who saw first‐hand the amount of effort and resources applied to the original process know that this would have caused more than a few eyebrows in the industry to rise.

Ultimately, for all Tier 1 facilities the Department decided to institute a preliminary round of site inspections called pre‐authorization inspections (PAI). How this will be addressed with the other tiers in the future is not known at this time. The PAIs were designed to provide facilities with additional guidance in writing their SSPs not included in the CSAT itself. The PAI process started in January 2010 with facilities visited by 3 to 7 inspectors over 2 to 4 days. The PAI is not an audit per se; it is not regulatory in nature and it is not mentioned in the law, but it is giving industry the chance to get a taste of what the real Authorization Inspection will look like. The inspectors will tour the facilities, will see firsthand the Chemicals Of Interest or COI, will discuss with the Facility Security Officer the applicable RBPS, and will discuss the different security assets and their nature. After that, the CSAT will re‐open and the facility will have between 20 and 45 days to re‐submit the SSP with additional and more detailed information, a daunting task.

The Authorization Inspection: Where the Rubber Meets the Road
After the PAI is completed, the revised SSP is submitted and approved by DHS, the real audit will begin. Although at this time only a handful of facilities have actually gone through an Authorization Inspection or (AI), this is a key element of the regulation. A typical AI lasts for about a week and is staffed by six inspectors on average. The aim of DHS is to validate the approved SSP during this inspection. The inspectors will -- of course -- look at obvious security measures such as the perimeter fence and the video surveillance equipment; but more important, they will evaluate less evident measures such as procedural security, training records, and security personnel screening and selection processes.

Another DHS objective is to make sure that the planned security measures identified in the SSP comply with the definition of “planned security measures” as understood by DHS. A planned security measure goes beyond an activity or investment that a plant would like to do at some point in time; this would be considered a proposed security measure and does not count towards SSP approval. A planned security measure as defined by DHS must be realistic, budgeted, under development and with a completion date in the near future. Finally, the DHS inspectors will have conversations with security personnel at the site and will evaluate their responses to questions such as: Explain your visual inspection procedures, explain the suspicious package procedures, explain and demonstrate an undercarriage inspection process, etc. Control room operators will also be interviewed at all AIs and asked about the emergency notification procedures of the facilities, shutdown procedures and worst case scenario response.

Lessons Learned
Now that several tier 1 PAIs and a handful of AIs have been completed, a few lessons can be shared with the regulated chemical industry at large. First of all, it is important to remember that inspectors will look for more than the most visible security measures when evaluating your SSP. How you do things will be as important as what you do. Procedural security, the availability of records and the intangible qualities of security personnel will play a critical role in the approval (or not) of a facility’s SSP. Therefore, the second lesson is that the security provider at your regulated facility should be a true partner during the entire CFATS process. To involve the security vendor from the beginning guarantees a more cohesive approach to the inspection process. Sophisticated security vendors can add substantial value to a facility’s security posture through the use of intelligent technologies and consulting services. The final lesson is to make sure that the facility’s security personnel are fully trained, properly screened (in accordance with RBPS 12 Personnel Surety), and bring the right traits for the job.

The inspectors are doing their job. Have you done yours?

HID Signs Agreement to Acquire Calmell Group
07/10/2025
HID and ASSA ABLOY Recognized with Renowned Red Dot Award for Innovative Biometric eGate Design
07/09/2025
Security Industry Association Announces Program for 2025 AcceleRISE Conference
07/07/2025
SIA Opens Applications for 2025 Denis R. Hébert Identity Management Scholarship
07/07/2025
Honeywell Makes Strategic Tuck-in Acquisition of Li-ion Tamer
07/01/2025
Defining SASE at the Largest Consumer Electronics Chain in the Nordics
06/26/2025
Elite Interactive Receives Strategic Investment from CIVC Partners
06/26/2025
ProdataKey’s Emergency Response Integrations: Integrated Access Control Made Easy
06/25/2025

Featured

Industry Embraces Mobile Access, Biometrics and AI

A combination of evolving workplace dynamics, technology innovation and new user expectations is changing how people enter and interact with physical spaces. Access control is at the heart of these changes. Combined with biometrics and AI, mobile access control has become increasingly crucial for deploying entry solutions that are seamless, secure and adaptive to user needs. Read Now
- Access Control
Sustainable Video Solution Delivered for Landmark City of London Office Development

An advanced, end-to-end video solution from IDIS, with a focus on reducing waste and costs, has helped a major office development in the City of London align its security with sustainability objectives. Read Now
- Facility Security
DHS to End ‘Shoes-Off’ Travel Policy

Homeland Security Secretary Kristi Noem announced a new policy today which will allow passengers traveling through domestic airports to keep their shoes on while passing through security screening at TSA checkpoints. Read Now
- Airport Security
AI to Help Resolve Non-Emergency Calls Across Utah and Decrease 911 Caller Wait Times

The Utah Communications Authority (UCA), which oversees the state’s next generation 911 technology services, recently announced that public safety answering points (PSAPs) throughout the state plan to implement Motorola Solutions’ Virtual Response technology to automate the receipt and resolution of 10-digit non-emergency line calls in Utah with the help of AI. Read Now
- Government
Report: 2025 Video Surveillance Market Set to Grow After Small Decline in 2024

Novaira Insights has unveiled its latest report, “World Market for Video Surveillance Hardware and Software – 2025 Edition.” The research indicates that the global market for video surveillance hardware and software experienced a slight decline of 0.3% in 2024. This performance fell short of previous forecasts, primarily due to a significant decrease of 7.8% in the Chinese market. Conversely, the rest of the world saw a growth of 4.9%. The global market for video surveillance equipment was estimated to be worth $25.0 billion in 2024. Read Now
- Video Surveillance

Security Today eNews

Sign up today for essential industry news and product information that can help you stay afloat in the fast-paced world of security.

Email Address*Country*

Please type the letters/numbers you see above.

Webinars

Whitepapers

New Products

4K Video Decoder

3xLOGIC’s VH-DECODER-4K is perfect for use in organizations of all sizes in diverse vertical sectors such as retail, leisure and hospitality, education and commercial premises.
Camden CM-221 Series Switches

Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings.
FEP GameChanger

Paige Datacom Solutions Introduces Important and Innovative Cabling Products GameChanger Cable, a proven and patented solution that significantly exceeds the reach of traditional category cable will now have a FEP/FEP construction.