How CFATS Has Changed Chemical Facility Security
The establishment of CFATS marks the first time in U.S. history that security is a matter of regulatory compliance for the chemical industry
Even companies that may have never placed a great focus on security now have to take it extremely seriously, not only because of a particular threat or security risk, but also because of potential penalties from the federal government if they do not. The Department of Homeland Security (DHS) has staffed up with additional manpower to aggressively enforce compliance with CFATS regulations.
In the first stage of CFATS implementation, the risk of all chemical facilities is evaluated based on an online assessment tool that surveys each facility's use of "chemicals of interest.” Based on the assessment, certain facilities are required to prepare Security Vulnerability Assessments (SVAs) and to develop and implement Site Security Plans, which include measures to address the 18 published Risk-Based Performance Standards (RBPS) that are listed in a 194-page document.
This document covers requirements such as securing site assets, screening and controlling access, sabotage and dealing with specific threats, vulnerabilities or risks. Once the site security plan has been approved, the facility must implement the plan within a specified time period.
The CFATS rule also contains associated provisions addressing inspections and audits, record keeping and the protection of chemical vulnerability information. Non-compliance can result in fines of $25,000 per day and closure of a facility.
Due to the risk-based nature of CFATS, companies have to use a great deal of their own judgment in order to comply with the 18 RBPS. The regulations require a level of performance to mitigate risks to chemical-based facilities but do not prescribe specific security measures to be used. In theory, the distinction creates an environment conducive to development of best practices. In reality, the vagueness of the requirements leaves uncertainty that could work against a facility trying in good faith to comply if its measures are judged ineffective or inadequate.
The role of the security vendor, including suppliers of security manpower, is now more important than ever for CFATS-regulated facilities. Many (if not most) of the tasks required by the regulation are performed by security vendors. Training of security officers as well as the quality of the overall security program is critical for these regulated sites, not only for security but for regulatory compliance.
DHS has not made things easy for the regulated sites, as uncertainty about many aspects of the program is still rampant. Now, for the first time, not only do facilities have to answer for the effectiveness of their security measures, they will also be judged and assessed by an outside party – the government – with expensive consequences if they don't pass muster.
Carlos Barbosa is Vice President, Vertical Development at G4S Secure Solutions USA. He has more than 15 years of experience designing and implementing security solutions for private customers as well as the US government domestically and abroad. His specialty is chemical/petrochemical facility security.