Implementation of Chemical Facility
Anti-Terrorism Standards (CFATS):
Issues for Congress

Dana A. Shea
Specialist in Science and Technology Policy
July 10, 2014
Congressional Research Service
7-5700
www.crs.gov
R43346


Implementation of Chemical Facility Anti-Terrorism Standards (CFATS): Issues for Congress

Summary
The Department of Homeland Security (DHS) implements the Chemical Facility Anti-Terrorism
Standards (CFATS) regulations, which regulate security at high-risk facilities possessing more
than certain amounts of one or more chemicals of interest. Facilities possessing more than the
specified amount must register with DHS through this program (a process known as the Top-
Screen) and perform security-related activities. The DHS identifies a subset of high-risk chemical
facilities from among those that register. These high-risk chemical facilities must submit a
security vulnerability assessment, which DHS uses to confirm their high-risk designation, and a
site security plan, which DHS then reviews and authorizes. The DHS also inspects and approves
high-risk chemical facilities for adherence to their submitted site security plans. It also later
inspects for compliance with these plans following DHS approval. The DHS regulates
approximately 4,000 facilities under this program and is in the process of implementing the
regulatory requirements for security vulnerability assessment, site security planning, and
inspection.
The DHS has had challenges meeting its own projections and congressional expectations
regarding program performance, raising questions about its ability to achieve steady-state
regulatory implementation. As of April 2014, DHS had made final risk assignments to 3,316 of
the approximately 4,200 regulated facilities. The DHS reported in June 2014 that it now regulates
approximately 4,000 facilities, though it did not report the number with final risk assignments.
The DHS authorizes a site security plan when the submitted plan satisfies CFATS requirements.
Following a successful authorization inspection, DHS approves the site security plan. As of June
2014, DHS had authorized 1,585 site security plans; conducted 1,146 authorization inspections;
and approved 819 site security plans. Between June 2013 and June 2014, DHS authorized an
average of 94 and approved an average of 59 site security plans per month. The DHS increased its
average authorization and approval rate over time; between November 2013 and June 2014, DHS
authorized an average of 110 and approved an average of 72 site security plans per month.
Between May 2014 and June 2014, DHS authorized 111 and approved 100 site security plans.
This report analyzes data from a variety of DHS presentations, testimony, and other sources to
present a historical overview of program performance to date. It identifies an ongoing gap
between the number of facilities that have received final risk tier assignments and the total
number of regulated facilities. This makes it appear likely that DHS will not have inspected or
approved site security plans for some portion of the regulated facility universe for at least several
years. In addition, the current rates of authorization of site security plans, authorization
inspection, and approval of site security plans make it appear likely that DHS will not have
completed implementation for the initial facilities before the date when it will potentially need to
begin reinspecting already approved facilities. With the onset of compliance inspections,
congressional policy makers may have further questions about the ability of the CFATS program
to meet congressional expectations regarding timeliness.

Congressional Research Service

Implementation of Chemical Facility Anti-Terrorism Standards (CFATS): Issues for Congress

Contents
Introduction ...................................................................................................................................... 1
Statute and Regulation ..................................................................................................................... 2
Implementation Analysis ................................................................................................................. 3
Chemical Facility Tier Assignment ........................................................................................... 5
Site Security Plan Authorization................................................................................................ 8
Authorization Inspections and SSP Approvals ........................................................................ 11
Compliance Inspections ........................................................................................................... 14
Assessment and Policy Implications .............................................................................................. 15

Figures
Figure 1. Implementation Steps within the CFATS Process ............................................................ 4
Figure 2. Regulated Facilities and Top-Screen Submissions ........................................................... 6
Figure 3. High-Risk Facilities Assigned Final Risk Tiers................................................................ 8
Figure 4. Authorized Site Security Plans ......................................................................................... 9
Figure 5. Projection for Completion of SSP Authorization in 1, 2, 5, and 10 Years ...................... 10
Figure 6. Authorized SSPs, Authorization Inspections, and Approved SSPs ................................ 12
Figure 7. Projection for Completion of SSP Approval in 1, 2, 5, and 10 Years ............................. 13

Tables
Table 1. Projected Required Site Security Plan Authorization Rate .............................................. 11
Table 2. Projected Required Site Security Plan Approval Rate ..................................................... 14

Contacts
Author Contact Information........................................................................................................... 17

Congressional Research Service

Implementation of Chemical Facility Anti-Terrorism Standards (CFATS): Issues for Congress

Introduction
The chemical industry is one of the United States’ largest manufacturing industries, directly
employing more than 790,000 workers. The chemical industry serves both a domestic and global
market, and other industrial sectors rely on chemical products as essential to their business. The
potential harm to public health and the environment from a large release of hazardous chemicals
has long concerned congressional policy makers. Accidental chemical releases spurred
environmental and other legislative proposals to reduce the risk of chemical accidents in the
United States. While congressional interest in the security of chemical facilities predates the
September 11, 2001, attacks, they prompted renewed congressional attention to the potential
security risks posed by hazardous chemicals.
In 2006, Congress authorized the Department of Homeland Security (DHS) to regulate chemical
facilities for security purposes.1 In 2007, DHS issued interim final regulations establishing risk-
based performance standards known as the Chemical Facility Anti-Terrorism Standards (CFATS).
These regulations provided a process whereby facilities would submit information and security
plans to DHS, DHS would review and approve these plans, facilities would implement them, and
DHS would inspect their implementation. The DHS has regularly experienced challenges in
implementing these regulations. It has not met its own expected timelines or milestones to begin2
or complete facility inspections.3 As of June 2014, DHS had inspected and approved 819 site
security plans, approximately 20% of the regulated facilities. This report provides information
regarding the pace of DHS CFATS implementation and attempts to identify potential sources of

1 P.L. 109-295, Department of Homeland Security Appropriations Act, 2007, §550.
2 In July 2007, DHS testified that formal site inspections of a selected group of facilities would begin by the end of the
calendar year (Testimony of Robert B. Stephan, Assistant Secretary for Infrastructure Protection, National Protection
and Programs Directorate, Department of Homeland Security, before the House Committee on Homeland Security,
Subcommittee on Transportation Security and Infrastructure, July 24, 2007). In December 2007, DHS testified that
facility inspection would begin in fall of 2008 (Testimony of Robert B. Stephan, Assistant Secretary for Infrastructure
Protection, National Protection and Programs Directorate, Department of Homeland Security, before the House
Committee on Homeland Security, Subcommittee on Transportation Security and Infrastructure, December 13, 2007).
In 2009, DHS testified that inspections would begin in the first quarter of FY2010 (Testimony of Philip Reitinger,
Deputy Under Secretary, National Protection and Programs Directorate, Department of Homeland Security, before the
House Committee on Homeland Security, June 16, 2009). The first authorization inspection took place in July 2010
(House Committee on Energy and Commerce, Subcommittee on Environment and the Economy, Evaluating Internal
Operation and Implementation of the Chemical Facility Anti-Terrorism Standards [CFATS] Program by the
Department of Homeland Security
, Serial 112-111, February 3, 2012, p. 65).
3 In 2010, DHS testified that it expected to inspect all Tier 1 facilities by the end of calendar year 2010 (Oral testimony
of Rand Beers, Under Secretary, National Protection and Programs Directorate, Department of Homeland Security,
before the Senate Committee on Homeland Security and Governmental Affairs, March 3, 2010). In 2011, DHS testified
that it expected to inspect all Tier 1 facilities by the end of calendar year 2011 (Oral testimony of Rand Beers, Under
Secretary, National Protection and Programs Directorate, Department of Homeland Security, before the House
Committee on Homeland Security, Subcommittee on Cybersecurity, Infrastructure Protection, and Security
Technologies, February 11, 2011). In 2013, DHS testified that it planned to have all Tier 1 facilities approved by
October 2013 (Testimony of Rand Beers, Under Secretary, and David Wulf, Director, Infrastructure Security
Compliance Division, National Protection and Programs Directorate, Department of Homeland Security, before the
House Committee on Energy and Commerce, Subcommittee on Environment and the Economy, March 14, 2013). The
DHS also planned to have all Tier 1 and Tier 2 facilities approved by May 2014 (Office of the Inspector General,
Department of Homeland Security, Effectiveness of the Infrastructure Security Compliance Division’s Management
Practices to Implement the Chemical Facility Anti-Terrorism Standards Program
, OIG-13-55, March 2013, p. 22). The
DHS did not meet these milestones. It now estimates that, by the end of FY2014, it will have approved over 90% of all
Tier 1 and Tier 2 facilities that have authorized site security plans (Communication between Office of Legislative
Affairs, Department of Homeland Security, and CRS, October 25, 2013).
Congressional Research Service
1

Implementation of Chemical Facility Anti-Terrorism Standards (CFATS): Issues for Congress

challenges for DHS. It does not address broader issues related to chemical facility security; for
such information and analysis, see CRS Report R42918, Chemical Facility Security: Issues and
Options for the 113th Congress
, by Dana A. Shea.
Statute and Regulation
In 2006, Congress authorized the Department of Homeland Security (DHS) to issue interim final
regulations establishing risk-based performance standards for chemical facility security and
requiring facilities to develop vulnerability assessments and to develop and implement site
security plans.4 Among other provisions, the statute directs DHS to allow regulated entities to
employ combinations of security measures to meet risk-based performance standards,5 and it
specifies that these regulations are to apply only to those chemical facilities that the Secretary
determines present high levels of security risk.
The law contains a high-level framework for its implementation. The Secretary must review and
approve the required vulnerability assessment, site security plan, and its implementation at each
facility. The Secretary must audit and inspect chemical facilities and determine regulatory
compliance. If the Secretary finds that a facility is not in compliance, the Secretary must write to
the facility explaining the deficiencies found, provide an opportunity for the facility to consult
with the Secretary, and issue an order to the facility to comply by a specified date. If the facility
continues to be out of compliance, the Secretary may impose a fine and, eventually, order the
facility to cease operation.
In 2007, the DHS issued an interim final rule and created the Chemical Facility Anti-Terrorism
Standards (CFATS) program.6 Much of the rule arises from the Secretary’s discretion and DHS
interpretation of legislative intent and was not explicitly detailed by the law.
Under the interim final rule, the Secretary of Homeland Security determined which chemical
facilities must meet regulatory security requirements. Facilities with greater than specified
quantities of any of 322 chemicals of interest must submit information to DHS, via a process
known as the “Top-Screen,” so that DHS can preliminarily determine each facility’s risk status.
Only those DHS deems high-risk are subject to the CFATS program and regulation.
The DHS assigns all high-risk facilities into one of four risk-based tiers. The DHS established
different performance-based requirements for facilities assigned to each risk-based tier. Facilities

4 P.L. 109-295, Department of Homeland Security Appropriations Act, 2007, §550.
5 According to the White House Office of Management and Budget, a performance standard is a standard
that states requirements in terms of required results with criteria for verifying compliance but
without stating the methods for achieving required results. A performance standard may define the
functional requirements for the item, operational requirements, and/or interface and
interchangeability characteristics. A performance standard may be viewed in juxtaposition to a
prescriptive standard which may specify design requirements, such as materials to be used, how a
requirement is to be achieved, or how an item is to be fabricated or constructed.
Office of Management and Budget, The White House, “Federal Participation in the Development and Use of Voluntary
Consensus Standards and in Conformity Assessment Activities,” Circular A-119, February 10, 1998. For example, a
performance standard might require that a facility perimeter be secured, whereas a prescriptive standard might dictate
the height and type of fence to be used to secure the perimeter.
6 72 Federal Register 17688–17745 (April 9, 2007).
Congressional Research Service
2

Implementation of Chemical Facility Anti-Terrorism Standards (CFATS): Issues for Congress

in higher risk tiers must meet more stringent performance-based requirements (Tier 1 being the
most stringent and Tier 4 being the least stringent).
All high-risk facilities must develop a vulnerability assessment and an effective security plan,
submit these documents to DHS, and implement their security plan. The vulnerability assessment
serves two purposes under the interim final rule. One is to determine or confirm the placement of
the facility in a risk-based tier. The other is to provide a baseline against which to assess the
effectiveness of actions identified in the site security plan.
Each site security plan must describe how activities in the plan address issues identified in the
facility vulnerability assessment. Additionally, the site security plan must address preparations for
and deterrents against specific modes of potential terrorist attack, as applicable and identified by
DHS. The site security plan must also describe how the activities taken by the facility meet the
risk-based performance standards provided by DHS.
High-risk facilities may develop vulnerability assessments and site security plans using
alternative security programs established by a third-party, such as an industry organization
program,7 so long as they meet the tiered, performance-based requirements of the interim final
rule. The Secretary may disapprove submitted vulnerability assessments or site security plans that
fail to meet DHS standards but not on the basis of the presence or absence of a specific measure.
In the case of disapproval, DHS must identify in writing those areas of the assessment and plan
that need improvement. Chemical facilities may request further adjudication by DHS of site
security plan disapprovals.
Once facilities have complied with the regulation by submitting security documentation and
receiving approval of their plans, they are to implement their site security plans. The DHS then
monitors facility compliance with these site security plans. The DHS indicated in 2007 that it
would generally require Tier 1 and Tier 2 facilities to update their Top-Screen, security
vulnerability assessment, and site security plan every two years and Tier 3 and Tier 4 facilities to
do so every three years.8
Implementation Analysis
In effect, the CFATS regulation and its underlying statute create a multistep, iterative process of
facility information submission followed by DHS approval. Each step is iterative since both the
facility, which may revise its submissions, and DHS, which may disapprove the submitted
documents, may cause the other participant to repeat the information exchange. See Figure 1.

7 See, for example, American Chemistry Council, Alternate Security Program (ASP) Guidance for CFATS Covered
Chemical Facilities
, December 2012.
8 72 Federal Register 17688-17745 (April 9, 2007) at 17691. The DHS is considering having facilities update their
Top-Screen information on this schedule and only submit an updated security vulnerability assessment and site security
plan in the case of changes in the Top-Screen information.
Congressional Research Service
3


Implementation of Chemical Facility Anti-Terrorism Standards (CFATS): Issues for Congress

Figure 1. Implementation Steps within the CFATS Process

Source: Government Accountability Office, Critical Infrastructure Protection: DHS Needs to Improve Its Risk
Assessments and Outreach for Chemical Facilities
, GAO-13-801T, August 1, 2013.
Notes: The DHS also performs compliance inspections after a facility implements its site security plan. During
each of the above steps, the facility, DHS, or both, may request additional information or propose to change a
determination.
a. Facilities are to submit an initial screening tool (the Top-Screen) that provides basic information about the
facilities and the chemicals they possess.
b. This step includes determining if a facility is high risk, and if so, DHS assigns a tier and identifies security
issues.
c. At this stage, if requirements are satisfied, DHS issues a letter of authorization for the facility’s plan.
Facilities possessing a chemical of interest in quantities above the screening threshold quantity
submit a Top Screen. Top Screen results assist CFATS in determining whether a facility presents a
high-level security risk. After processing a Top Screen, the CFATS Program assigns the facility a
preliminary tier or determines that the facility does not meet the criteria for CFATS regulation.
When a facility receives a preliminary tier assignment notification, it must prepare and submit a
Security Vulnerability Assessment (SVA) to DHS. After reviewing the SVA, the CFATS Program
determines a facility’s final tier assignment or that the facility is not high risk. When the facility
receives a final tier assignment, it must develop and submit a Site Security Plan (SSP) to DHS.
The Infrastructure Security Compliance Division (ISCD) within the DHS National Protection and
Programs Directorate (NPPD) reviews the SSP to preliminarily determine if it satisfies the
applicable risk-based performance standards. This process typically involves discussions between
ISCD staff and the facility. It often requires the facility to submit additional information to ISCD
and revise the SSP before ISCD can complete its initial review and issue the facility a letter of
authorization for the SSP.
After issuing a letter of authorization, ISCD conducts a comprehensive and detailed authorization
inspection. The ISCD reviews the inspection results, as well as any further revisions that the
facility may make to the SSP. It then makes a final determination as to whether the facility’s SSP
satisfies the applicable risk-based performance standards. If so, ISCD issues a letter of approval
and the facility must implement the applicable provisions of the SSP. If ISCD determines that the
SSP does not satisfy the applicable risk-based performance standards, ISCD may issue a notice of
deficiency and require the facility to resubmit a sufficient SSP. If the facility fails to do so, ISCD
may disapprove the SSP. Following the authorization inspection, facilities are generally granted
an additional 45 days to make any necessary modifications to their SSP. ISCD will then review
the resubmitted SSP and make a final determination as to whether the SSP warrants the issuance
of a letter of approval. In some cases, the facility may require a technical consultation and another
opportunity to revise its SSP.
Congressional Research Service
4

Implementation of Chemical Facility Anti-Terrorism Standards (CFATS): Issues for Congress

Over time, the DHS has attempted to develop a consistent nomenclature for its review and
inspection process.9 The DHS authorizes an SSP (issuing the facility a letter of authorization)
when the submitted SSP is satisfactory under CFATS.10 The DHS conducts an authorization
inspection
of a facility with an authorized SSP to compare the authorized SSP to the conditions of
the facility. Following a successful authorization inspection, the DHS approves the SSP (issuing
the facility a letter of approval). At a later date, expected to be one year after approval of the SSP,
the DHS will conduct a compliance inspection of a facility to determine whether the facility has
fully implemented its approved SSP.11 Compliance inspections then occur on a periodic basis
depending on the risk tier to which the facility is assigned.
This section will address the above steps by analyzing DHS data to identify underlying
challenges. First, the process of DHS assigning a facility to a risk tier will be discussed. Second,
the rate at which DHS authorizes site security plans will be addressed. Third, the rate at which
DHS inspects and approves authorized site security plans will be analyzed. Finally, compliance
inspections will be addressed.
Chemical Facility Tier Assignment
In the CFATS process, all facilities possessing chemicals of interest above a certain threshold
amount must report to DHS through the Top-Screen process. At the inception of the program,
DHS received approximately 29,000 Top-Screen submissions and preliminarily identified
approximately 7,000 facilities as high-risk and therefore subject to CFATS regulation. Since that
time, DHS has received a cumulative total of more than 48,000 Top-Screen submissions from
over 36,000 facilities.12 Some of this increase is attributable to Top-Screen submissions from
facilities that had never previously submitted one. Such facilities include those that have
increased their holdings of chemicals of interest above the specified threshold and facilities that
had not previously complied with the regulation. Some of these new submissions will be from
facilities that are not high-risk. The remaining additional Top-Screens represent resubmissions
from facilities with new facility information, modified activities, or changed chemical holdings.
Based on this information, DHS may reassess whether they should be assigned to a different
high-risk tier or removed from the program altogether.13

9 The DHS Office of Inspector General criticized prior language used by ISCD to describe the CFATS program’s
progress, calling it “confusing” and “ambiguous.” Office of Inspector General, Department of Homeland Security,
Effectiveness of the Infrastructure Security Compliance Division’s Management Practices to Implement the Chemical
Facility Anti-Terrorism Standards Program
, OIG-13-55, March 2013.
10 In 2011, DHS created “conditional authorization” whereby DHS added specific technical conditions that must be
addressed during an authorization inspection. The DHS has not completed its rulemaking regarding personnel surety,
and so site security plans currently receive “conditional authorization.”
11 Testimony of David Wulf, Director, Infrastructure Security Compliance Division, National Protection and Programs
Directorate, Department of Homeland Security, before the House Committee on Homeland Security, Subcommittee on
Cybersecurity, Infrastructure Protection, and Security Technologies, August 1, 2013.
12 The DHS received submissions from 36,189 unique facilities as of December 2013. Communication between Office
of Legislative Affairs, Department of Homeland Security, and CRS, January 9, 2014.
13 As of October 20, 2013, DHS completed more than 600 facility requests for redetermination that resulted in either
the non-regulation or retiering of many facilities (Office of Infrastructure Protection, National Protection and Programs
Directorate, Department of Homeland Security, Chemical Facility Anti-Terrorism Standards (CFATS) and Ammonium
Nitrate Security Program Updates
, October 2013).
Congressional Research Service
5


Implementation of Chemical Facility Anti-Terrorism Standards (CFATS): Issues for Congress

Despite the increase in cumulative Top-Screen submissions, the number of facilities meeting the
DHS criteria for high risk has fallen over time to approximately 4,000. See Figure 2. This
decrease represents facilities that have reduced their holdings of chemicals of interest below
threshold levels, which could be caused by voluntary reductions or facility closures. The DHS has
stated that it no longer considers as high risk more than 3,000 facilities that voluntarily removed,
reduced, or modified their holdings of chemicals of interest.14
An appreciable delay may be occurring between the submission of Top-Screen information and
DHS identifying a facility as preliminarily high-risk. The DHS Office of Inspector General (OIG)
analyzed DHS responses to Tier 1 and Tier 2 Top-Screen submissions. It found that the average
time to receive a tier assignment was 4.8 months, with the longest observed time being 12
months.15 This delay might cause the number of Top-Screen submissions to rise without a
commensurate increase in the number of regulated facilities until such time as DHS responds to
the new submissions.
Figure 2. Regulated Facilities and Top-Screen Submissions
(June 2008 through June 2014)

Source: CRS analysis of various DHS presentations, testimony, and other sources.
Notes: Total regulated facilities plotted against the left axis; Top-Screen submissions plotted against the right
axis. The DHS general y expresses the number of Top-Screen submissions as “more than” a certain amount and
reports in thousands. Thus, the number of Top-Screen submissions should be taken as a lower bound.

14 Department of Homeland Security, Chemical Facility Anti-Terrorism Standards, October 2013.
15 Office of Inspector General, Department of Homeland Security, Effectiveness of the Infrastructure Security
Compliance Division’s Management Practices to Implement the Chemical Facility Anti-Terrorism Standards Program
,
OIG-13-55, March 2013, p. 25.
Congressional Research Service
6

Implementation of Chemical Facility Anti-Terrorism Standards (CFATS): Issues for Congress

The decrease in the number of regulated facilities results from more facilities leaving the program
than entering the program. To the extent that the additional Top-Screen submissions reflect
information from new facilities, then a commensurately greater number of facilities must be
leaving the CFATS program annually.
The increasing number of Top-Screen submissions combined with the decreasing number of
regulated facilities indicates that some fraction of the existing facility universe is submitting
multiple Top-Screens. The filing of multiple Top-Screen submissions may pose a challenge to
DHS, since it may trigger a review of the facility’s risk tier, related documentation, and required
risk-based performance standards.
Once a facility submits Top-Screen data, DHS assigns a preliminary risk tier to the facility. The
DHS assigns a final risk tier after reviewing the facility’s security vulnerability assessment. As
shown in Figure 3, DHS has provided final tier assignments to most facilities. Since mid-2010,
between 14% and 22% of high-risk facilities at any given time lack a final tier assignment.
Analysis of these data on a tier basis reveals that 75% of the facilities lacking a final tier
assignment are in Tier 4.16
The reasons why facilities lack a final tier assignment are likely a combination of several factors:
• Facilities newly joining the CFATS program would be assigned a preliminary
tier. Some of these new submissions would be from high-risk facilities.
• Facilities with incomplete or insufficient security vulnerability assessments
would not receive final tier assignments until DHS and the facility resolved
outstanding issues.
• Facilities changing the amount of chemicals of interest on site might request a
new tiering determination. During this process, a facility might be identified as
preliminarily tiered rather than having a final tier assignment.
• A facility contesting its determination as a high-risk facility or its assignment to a
specific risk tier might not receive a final tier assignment.
• Some facilities are in categories where DHS has indefinitely extended the
timeline for compliance. For example, DHS indefinitely extended the timeline for
compliance for facilities with aboveground gasoline storage tanks, including
facilities (such as petroleum refineries) that may possess other chemicals that
trigger the Top-Screen requirement, as “gasoline terminals” or “terminals.”
Approximately 405 such facilities are preliminarily high risk.17

16 As of April 21, 2014, 92% of Tier 1, 87% of Tier 2, 86% of Tier 3, and 75% of Tier 4 facilities had a final tier
assignment (CRS analysis of DHS data provided by Testimony of Suzanne Spaulding, Under Secretary for National
Protection and Programs, and David Wulf, Director, Infrastructure Security Compliance Division, Office of
Infrastructure Protection, National Protection and Programs Directorate, Department of Homeland Security before the
Senate Committee on Homeland Security and Governmental Affairs, May 14, 2014).
17 75 Federal Register 1552-1555 (January 12, 2010).
Congressional Research Service
7


Implementation of Chemical Facility Anti-Terrorism Standards (CFATS): Issues for Congress

Figure 3. High-Risk Facilities Assigned Final Risk Tiers
(June 2008 through June 2014)

Source: CRS analysis of various DHS presentations, testimony, and other sources.
Notes: The gap between the number of facilities and the number with final tier assignments is facilities with
preliminary tier assignments.
A key issue for oversight is how DHS enforces CFATS on facilities receiving a preliminary tier
assignment. The DHS requires a facility to begin the site security planning process only after the
final assignment to a risk tier. Consequently, DHS oversight of security at facilities awaiting final
risk-tier assignment seems likely to be delayed relative to other facilities. In addition, the fraction
of facilities receiving a final tier assignment has trended slightly downward over time. This may
reflect the dynamic nature of the pool of CFATS-regulated facilities with facilities joining,
leaving, and being retiered within the CFATS program, or it may suggest that DHS is not
resolving the gap between total facilities and facilities with a final tier.
Site Security Plan Authorization
Regulated facilities must submit site security plans (SSPs) that meet the risk-based performance
standards applicable to their final risk tier. The DHS reviews and issues a letter of authorization to
facilities submitting a satisfactory SSP. The DHS has experienced challenges in developing an
effective and efficient authorization process and has engaged in internal review to improve that
process.
Congressional Research Service
8


Implementation of Chemical Facility Anti-Terrorism Standards (CFATS): Issues for Congress

Figure 4 shows the number of authorized site security plans. The DHS authorized its first site
security plan on May 28, 2010.18 Between then and August 2012, when DHS implemented a new
integrated SSP review process, DHS authorized approximately 60 site security plans. Since
August 2012, the rate of site security plan authorization has increased. The DHS has authorized a
total of 1,585 SSPs as of June 2014. Facilities in all risk tiers have received authorizations,
though DHS continues to focus on Tier 1 and Tier 2 facilities.
Figure 4. Authorized Site Security Plans
(January 2012 to June 2014)

Source: CRS analysis of various DHS presentations, testimony, and other sources.
Notes: The DHS authorized its first site security plan on May 28, 2010. The decline in the number of authorized
site security plans in February 2014 reflects removal by DHS of authorized site security plans for facilities no
longer regulated under CFATS.
While the current authorization rate is significantly higher than it was previously, 61% of all
regulated facilities (52% of facilities having received a final tier assignment as of April 2014)
lack an authorized SSP as of June 2014. Comparison of the current rate of authorization against
that necessary to authorize all SSPs suggests that it will take several years for DHS to finish
authorization of the existing SSPs. See Figure 5.

18 Communication between Office of Legislative Affairs, Department of Homeland Security, and CRS, January 9,
2014.
Congressional Research Service
9


Implementation of Chemical Facility Anti-Terrorism Standards (CFATS): Issues for Congress

Figure 5. Projection for Completion of SSP Authorization in 1, 2, 5, and 10 Years

Source: CRS analysis of various DHS presentations, testimony, and other sources.
Notes: Dotted lines indicate the trajectories required to complete site security plan authorization within 1, 2, 5,
or 10 years. Projections assume a constant rate of authorization, the authorization of SSPs for all facilities
(including those currently without a final tier), no change in the total number of facilities, and that each site
security plan corresponds to a single regulated facility.
Figure 5 shows trajectories required to complete SSP authorization within 1, 2, 5, or 10 years.
Assuming the total number of regulated facilities remains unchanged over time, DHS would need
to authorize an average of 205 site security plans monthly to authorize a number of SSPs equal to
the number of facilities within 1 year, an average of 102 monthly to authorize all within 2 years,
an average of 41 monthly to authorize all within 5 years, and an average of 20 monthly to
authorize all within 10 years. As a point of reference, DHS authorized an average of 94 SSPs per
month from June 2013 to June 2014.19 The DHS increased its average authorization rate over
time; between November 2013 and June 2014, DHS authorized an average of 110 SSPs per
month.20 Between May 2014 and June 2014, DHS authorized 111 SSPs.21 See Table 1.

19 CRS calculation based on number of authorized site security plans reported between June 6, 2013, and June 1, 2014.
20 CRS calculation based on number of authorized site security plans reported between November 19, 2013, and June 1,
2014.
21 CRS calculation based on number of authorized site security plans reported between May 1, 2014, and June 1, 2014.
Congressional Research Service
10

Implementation of Chemical Facility Anti-Terrorism Standards (CFATS): Issues for Congress

Table 1. Projected Required Site Security Plan Authorization Rate
(average monthly rate)
Monthly Number of Authorized Site
Timeframe
Security Plans
Actual Recent Rate (over 12 months, see text)
94
Actual Recent Rate (over 6 months, see text)
110
Actual Recent Rate (over 1 month, see text)
111
Rate Required to Complete in 1 Year
205
Rate Required to Complete in 2 Years
102
Rate Required to Complete in 5 Years
41
Rate Required to Complete in 10 Years
20
Source: CRS analysis of various DHS presentations, testimony, and other sources.
Notes: Projections assume a constant rate of authorization, the authorization of SSPs for all facilities (including
those currently without a final tier), no change in the total number of facilities, and that each site security plan
corresponds to a single regulated facility.
The past rate of SSP authorization may not reflect future performance. The DHS may be able to
increase the rate of SSP authorization. The DHS has so far mostly been assessing SSPs for Tier 1
and Tier 2 facilities; SSPs for Tier 3 and Tier 4 facilities may be simpler. As DHS obtains greater
experience in authorizing SSPs, the process may become more efficient. Conversely, DHS may
have difficulty maintaining the current rate of SSP authorizations if future SSPs have lower
quality or pose particular challenges or if other activities compete for ISCD resources. Note that
the projections reported from the above model are conservative; they assume that no facilities join
or leave the CFATS program and that each facility requires only a single authorized site security
plan.
Authorization Inspections and SSP Approvals
Following authorization of a site security plan, DHS inspects the facility to determine its
adherence to its submitted SSP. Once DHS has confirmed such compliance, DHS approves the
SSP and provides the facility with a letter of approval. The DHS began performing authorization
inspections in July 2010 but, following an internal review, suspended its inspection process
pending revisions. The DHS resumed authorization inspections in July 2012 and had completed
more than 100 authorization inspections by April 2013. The DHS did not approve site security
plans at the same rate as it conducted inspections. See Figure 6.
Congressional Research Service
11


Implementation of Chemical Facility Anti-Terrorism Standards (CFATS): Issues for Congress

Figure 6. Authorized SSPs, Authorization Inspections, and Approved SSPs
(October 2010 to June 2014)

Source: CRS analysis of various DHS presentations, testimony, and other sources.
Note: The decline in the number of authorized site security plans in February 2014 reflects removal by DHS of
authorized site security plans for facilities no longer regulated under CFATS.
The number of authorized SSPs and the number of authorization inspections appear to roughly
parallel each other. This implies that the authorization inspection rate is roughly commensurate
with the rate of SSP authorization. Assuming a single inspection at each facility, the data do not
suggest that an additional backlog of authorized SSPs waiting for authorization inspections is
likely to build up. If the SSP authorization rate were to increase relative to the rate of
authorization inspections, an additional backlog of authorized SSPs could develop. That effect
might be addressed through increased inspection capability.
Similarly, the rate of authorization inspections roughly parallels the rate of SSP approval. The
number of authorization inspections is greater than that of approved SSPs. One possibility is that
not all authorization inspections lead to an approval. Some facilities may be disapproved, while
others may require multiple authorization inspections to resolve challenges identified in the
inspection process. Another possibility is that the process of issuing an approval following an
authorization inspection takes time; DHS has reported that a facility may be granted up to 45 days
to amend a site security plan following an authorization inspection.22

22 House Committee on Energy and Commerce, Subcommittee on Environment and the Economy, The Chemical
Facility Anti-Terrorism Standards Program: A Progress Report
, Serial No. 112-172, September 11, 2012, p. 112.
Congressional Research Service
12


Implementation of Chemical Facility Anti-Terrorism Standards (CFATS): Issues for Congress

As of June 2014, 80% of all regulated facilities (75% of facilities with a final tier assignment as
of April 2014) lack an approved SSP. Comparison of the current rate of approval against that
necessary to approve all SSPs indicates that it will take several years for DHS to finish inspecting
and approving the existing SSPs. See Figure 7.
Figure 7. Projection for Completion of SSP Approval in 1, 2, 5, and 10 Years

Source: CRS analysis of various DHS presentations, testimony, and other sources.
Notes: Projections assume a constant rate of authorization, the authorization of SSPs for all facilities (including
those currently without a final tier), no change in the total number of facilities, and that each site security plan
corresponds to a single regulated facility.
If the total number of regulated facilities remained unchanged over time, DHS would need to
approve an average of 269 site security plans monthly to approve a number of SSPs equal to the
number of facilities within 1 year, an average of 134 monthly to approve all within 2 years, an
average of 54 monthly to approve all within 5 years, and an average of 27 monthly to approve all
within 10 years. As a point of reference, DHS approved an average of 59 site security plans
monthly between June 2013 and June 2014.23 The DHS increased this rate over time; between
November 2013 and June 2014, DHS approved an average of 72 SSPs per month.24 Between May
2014 and June 2014, DHS approved 100 SSPs.25 The Government Accountability Office

23 CRS calculation based on number of approved site security plans reported between June 6, 2013, and June 1, 2014.
24 CRS calculation based on number of approved site security plans reported between November 19, 2013, and June 1,
2014.
25 CRS calculation based on number of approved site security plans reported between May 1, 2014, and June 1, 2014.
Congressional Research Service
13

Implementation of Chemical Facility Anti-Terrorism Standards (CFATS): Issues for Congress

estimated in April 2013 that it could take DHS from seven to nine years to complete reviews and
approvals for currently submitted SSPs from facilities with a final risk tier.26 See Table 2.
Table 2. Projected Required Site Security Plan Approval Rate
(average monthly rate)
Monthly Number of Approved Site
Timeframe
Security Plans
Actual Recent Rate (over 18 months, see text)
59
Actual Recent Rate (over 7 months, see text)
72
Actual Recent Rate (over 1 month, see text)
100
Rate Required to Complete in 1 Year
269
Rate Required to Complete in 2 Years
134
Rate Required to Complete in 5 Years
54
Rate Required to Complete in 10 Years
27
Source: CRS analysis of various DHS presentations, testimony, and other sources.
Notes: Projections assume a constant rate of authorization, the authorization of SSPs for all facilities (including
those currently without a final tier), no change in the total number of facilities, and that each site security plan
corresponds to a single regulated facility.
The past rate of SSP approval may not reflect future performance. The DHS may be able to
increase the rate of SSP approval. The DHS has so far mostly been inspecting Tier 1 and Tier 2
facilities; Tier 3 and Tier 4 facilities may be simpler. As DHS gets more experience in inspecting
facilities and issuing SSP approvals, the process may become more efficient. Conversely, DHS
may have difficulty maintaining the current rate of SSP approvals if future SSPs have lower
quality or pose particular challenges. Note that the projections above are conservative; they
assume that no facilities join or leave the CFATS program, that each facility requires only a single
approved site security plan.
Compliance Inspections
Following approval of a facility site security plan, DHS inspects the facility for compliance.
According to DHS, compliance inspections started in September 2013. As of April 2014, DHS
had performed 31 compliance inspections.27 In April 2013, GAO estimated that full regulatory
implementation, including compliance inspection, for existing facilities would require 8 to 10
years.28

26 Based on an approval rate of 30 to 40 SSPs monthly. Government Accountability Office, Critical Infrastructure
Protection: DHS Efforts to Assess Chemical Security Risk and Gather Feedback on Facility Outreach Can Be
Strengthened
, GAO-13-353, April 2013.
27 Testimony of Suzanne Spaulding, Under Secretary for National Protection and Programs, and David Wulf, Director,
Infrastructure Security Compliance Division, Office of Infrastructure Protection, National Protection and Programs
Directorate, Department of Homeland Security before the Senate Committee on Homeland Security and Governmental
Affairs, May 14, 2014.
28 Government Accountability Office, Critical Infrastructure Protection: DHS Efforts to Assess Chemical Security Risk
and Gather Feedback on Facility Outreach Can Be Strengthened
, GAO-13-353, April 2013.
Congressional Research Service
14

Implementation of Chemical Facility Anti-Terrorism Standards (CFATS): Issues for Congress

An additional component of future compliance involves the resubmission of updated Top-Screen
information, and if so requested, security vulnerability assessments and site security plans.
According to DHS’s explanation of the CFATS regulation, “the Department will require facilities
in Tiers 1 and 2 to update their Top-Screen, SVA, and SSP every two years, and facilities in Tiers
3 and 4 to update their Top-Screen, SVA, and SSP every three years.”29 If DHS was to inspect
each facility in order to approve a facility’s updated SSP, DHS would need to perform
approximately 124 inspections monthly to finish these inspections before receiving updated
documents.30
The DHS is considering having facilities update their Top-Screen information on this schedule
and only submit an updated security vulnerability assessment and site security plan in the case of
changes in the Top-Screen information. If so, the number of inspections necessary to approve the
updated SSPs would be reduced.
Assessment and Policy Implications
Assessing the future performance of the CFATS program is challenging since it may or may not
be similar to the program’s past performance. Many external and internal events could
dramatically affect program performance. In addition, while the CFATS program has been in
place since 2007, significant reforms began in 2012, changing how DHS implemented the
program. The data on performance since those reforms are relatively sparse compared with the
program’s overall duration. Increased efficiencies on the part of the DHS or more effective
compliance by regulated facilities could change program performance. Any assessment of the
CFATS program is based on the significant assumption that insight about future performance can
be informed by analysis of past performance. Even if this assumption is incorrect, however, an
analysis based on it may still help to identify potential issues with respect to current agency
implementation.
The CFATS program has repeatedly not met DHS-established deadlines for securing high-risk
chemical facilities. At the current level of performance, it appears likely to require several years
to authorize the remaining SSPs, and several years beyond that to inspect the facilities and
approve the SSPs. This conclusion does not consider the impact of compliance inspections, which
have only recently begun. Several factors contribute to this conclusion.
Approximately 20% of facilities regulated under CFATS remain in a state of preliminary risk-tier
assignment.31, 32 As described by DHS, this places those facilities at an early stage of review and

29 72 Federal Register 17688-17745 (April 9, 2007) at 17691.
30 Based on 512 preliminary and final Tier 1 and Tier 2 facilities and 3,690 preliminary and final Tier 3 and Tier 4
facilities (Testimony of Caitlin Durkovich, Assistant Secretary for Infrastructure Protection, and David Wulf, Director,
Infrastructure Security Compliance Division, National Protection and Programs Directorate, Department of Homeland
Security, before the House Committee on Homeland Security, Subcommittee on Cybersecurity, Infrastructure
Protection, and Security Technologies, February 27, 2014).
31 CRS analysis based on DHS data of April 2014 (Testimony of Suzanne Spaulding, Under Secretary for National
Protection and Programs Directorate, and Phyllis Schneck, Deputy Under Secretary for Cybersecurity and
Communications, National Protection and Programs Directorate, Department of Homeland Security before the House
Committee on Appropriations, Subcommittee on Homeland Security, April 29, 2014).
32 Approximately 405 of these are facilities with aboveground gasoline storage tanks. The DHS has identified these
facilities as preliminarily high risk but has indefinitely extended their compliance deadlines (75 Federal Register 1552-
(continued...)
Congressional Research Service
15

Implementation of Chemical Facility Anti-Terrorism Standards (CFATS): Issues for Congress

compliance. Without an effective mechanism for reducing the number of preliminarily tiered
facilities, hundreds of high-risk facilities will be in the SSP authorization and approval portion of
the regulation rather than in the SSP implementation and compliance portion. The DHS has
acknowledged this effect in the short term by changing its target metric from approval of all Tier
1 facility SSPs by the end of FY2013 to approval of all Tier 1 and Tier 2 facilities with authorized
SSPs by the end of FY2014.
The CFATS system as a whole appears to operate more slowly than would be necessary to
process all regulated facilities within the compliance inspection timeframe established in the
CFATS regulation. The most obvious factor reducing throughput appears to be the rate of
authorization inspection. The DHS continues to authorize SSPs at a rate equal to or greater than
the number of authorization inspections conducted. Since the number of SSPs approved is less
than the number of authorization inspections, it appears that multiple inspections are necessary to
approve some facilities. Therefore, the rate at which authorization inspections need to be
conducted limits the rate of overall compliance with the CFATS program.
Analysis of the available data indicates that during some time periods, the number of
authorization inspections exceeds the number of SSP approvals, while during other periods, the
opposite is true. This suggests that in addition to the time necessary to perform an authorization
inspection, time is required for approval of the SSPs. If so, increasing the number of authorization
inspections alone may reveal a secondary capacity gap in the rate at which DHS can process SSP
approvals.
The fact that SSP authorizations and authorization inspections roughly parallel each other
suggests that DHS does not have significant additional capacity in its authorization inspection
process. If the authorization inspection process had additional capacity, the number of
authorization inspections would not be limited by the number of authorized SSPs and would
equal or surpass that number, assuming that some facilities require multiple authorization
inspections prior to SSP approval. Increasing authorization inspection capacity might serve to
highlight other potential issues within the CFATS process, such as delays in processing
information from authorization inspections and issuing letters of approval. Inspection capacity
might be increased by employing more inspectors or by process improvements allowing for more
inspections done by the same number of inspectors.
Once compliance inspections start in earnest, the lack of additional inspection capacity may lead
to further challenges. The same inspector cadre is responsible for both compliance inspections
and authorization inspections. Increasing the required number of inspections by beginning
compliance inspections could reduce the availability of staff for completing authorization
inspections.
Because DHS has set a short interval for Top-Screen resubmission (every two years for Tier 1 and
Tier 2 and every three years for Tier 3 and Tier 4) it appears necessary for initial submissions
from regulated facilities to be processed within that time frame. If not, a significant backlog of
activity seems likely given the current rates of inspection and approval. As stated above, to
process all facilities within the time frame of resubmission, DHS would need to perform 124
inspections per month, higher than the current authorization inspection rate, to avoid developing a

(...continued)
1555 (January 12, 2010)).
Congressional Research Service
16

Implementation of Chemical Facility Anti-Terrorism Standards (CFATS): Issues for Congress

backlog relative to facility resubmissions. Should DHS not require all facilities to resubmit
updated SVAs and SSPs, this may allow DHS to have a lower inspection rate without developing
such a backlog.
As DHS makes progress in approving SSPs and as it begins to gather experience in compliance
inspections, it may become possible to project future performance with greater confidence.

Author Contact Information
Dana A. Shea
Specialist in Science and Technology Policy
dshea@crs.loc.gov, 7-6844

Congressional Research Service
17