The CFATS Sunset and Its Implications for Chemical Security




INSIGHTi

The CFATS Sunset and Its Implications for
Chemical Security

Updated September 5, 2023
The Chemical Facility Anti-Terrorism Standards (CFATS) program, which regulated covered chemical
facilities for security, sunset as of July 28, 2023, after Congress allowed its statutory program
authorization to expire. The House passed a bill (H.R. 4470) on a 409-1 vote to extend the authorization
for two years. A companion Senate bill (S. 2499) did not advance past introduction, and a motion to
consider the House-passed bill was blocked in the Senate on July 26, shortly before the Senate adjourned
for fall recess.
The Cybersecurity and Infrastructure Security Agency (CISA), the Department of Homeland Security
(DHS) agency that administered CFATS, subsequently issued a statement that it had suspended all
program activities related to enforcement and compliance assistance. Additionally, requirements for
facilities to maintain existing site security plans or programs and to report possession of certain
“chemicals of interest” were suspended. CISA encouraged previously covered chemical facilities to
maintain existing security measures, and noted the availability of its resources for adoption of voluntary
best practices under the ChemLock initiative, which provides a toolkit of on-site assessments and
assistance, exercise packages, on-demand training, and online informational guidance.
Absent congressional action to reauthorize CFATS, continuing DHS infrastructure security and resilience
activities in the Chemical Sector would rely mainly on voluntary public-private partnerships, as is the
case in most other critical infrastructure sectors. Entities formerly covered by CFATS regulations may
choose to engage in critical infrastructure security and resilience partnerships, while also maintaining or
improving certain security practices and risk mitigation investments. However, they are no longer
required to do so.
This Insight describes potential changes to chemical security in the wake of CFATS expiration and
provides analysis of potential longer-term implications for the Chemical Sector’s security posture if
CFATS is not reauthorized. It may inform congressional action, whether Congress decides to reinstate
CFATS (with or without modifications) or allows the lapse in regulatory authorization to continue
indefinitely.
Congressional Research Service
https://crsreports.congress.gov
IN12235
CRS INSIGHT
Prepared for Members and
Committees of Congress




Congressional Research Service
2
Continuity and Changes to Chemical Security Activities
The CFATS program mandated a “top-screen” process for covered facilities possessing potentially
dangerous chemicals (above certain threshold limits) at risk for misuse by terrorists. High risk facilities
were required to formulate and implement CISA-approved security plans to meet 18 risk-based
performance standards
(RBPS), subject to approval and verification. RBPS covered a variety of security
issues, including, among others: perimeter security, vetting and screening of onsite personnel, incident
response, record keeping, incident reporting, and security training. CISA did not prescribe specific
security measures, but did provide guidance and consultation to facility owner-operators to aid in
compliance.
Certain security measures might continue after the CFATS sunset on a voluntary basis, but likely with
changes. For example, RBPS 1 (Restrict Area Perimeter) includes installation of barriers, lighting, and
monitoring and detection equipment at covered facilities. Formerly covered entities may choose to keep
these assets—either partially or entirely—in place. However, operation and maintenance of perimeter
security assets requires trained personnel to monitor systems and react to contingencies. Owner-operators
could choose to discontinue these activities if they deem them unnecessary or cost-prohibitive, and if no
other relevant federal regulatory requirements apply.
Owner-operators may also continue personnel screening and identification as they see fit, but they will
not have the ability to submit requests to DHS for personnel vetting using the Terrorism Screening
Database (TSDB), a unified federal watchlist developed after the September 11, 2001, terrorist attacks.
CISA has closed the online portal used for enrollment in the program. Background documentation such as
credit checks, which do not require TSDB access, remain available to facility owner-operators. Security
personnel may also inspect credentials already issued to vetted individuals under the auspices of CFATS
and certain other federal security programs, but CISA cannot validate existing credentials or approve new
ones.
Potential Longer-Term Implications of CFATS Sunset
The 18 RBPS have complex interdependencies, potentially complicating any efforts to fully separate
voluntary security activities from the regulatory authorities that enable them. For example, TSDB vetting
under CFATS regulatory authority enabled many other security activities related to access control, such as
cybersecurity. Likewise, CISA used mandated incident reports to inform regulatory oversight and develop
up-to-date voluntary security guidance for the Chemical Sector. CISA maintains a program for voluntary
submission of critical infrastructure information, but it is not specific to chemical sector security
requirements.
In general, regulation and voluntary public-private partnerships often develop concurrently, and coexist
within the broader federal critical infrastructure enterprise. Regulatory relationships may encourage
private-sector engagement with federal agencies on voluntary initiatives, particularly if these facilitate
cost-effective compliance. For example, the offshore exploration and extraction industry segment of the
Oil and Gas Subsector—regulated under authorities in the Maritime Transportation Security Act of 2002
(P.L. 107-295)—has more voluntary public-private engagement on risk assessment, information sharing,
and standards development than some other, less-regulated oil and gas industry segments.
Some observers voiced concern that the CFATS sunset may erode chemical security expertise in CISA
and the private sector. Some CISA chemical security positions may be eliminated or reallocated, absent
reauthorization. In the private sector, compliance-relevant expertise may atrophy.
Some Members expressed concerns about program effectiveness, compliance costs, and overlap with
other federal regulations. In a July 26 floor speech, Senator Rand Paul said that CFATS “places a burden


Congressional Research Service
3
on business, impeding their potential growth and creating unsurmountable barriers to entry for those who
find the regulatory compliance too cumbersome and expensive to even attempt to break into the sector.”
He added that the Government Accountability Office (GAO) “found much of this program to be
duplicative of other Agencies.”
The January 2021 GAO report reviewed eight federal chemical security programs and compared them
with CFATS standards. It found that six programs had some duplicative requirements that certain facilities
might be subject to. It also found that statutory exclusions of certain facilities from CFATS regulations
produced some potential regulatory gaps.












Author Information

Brian E. Humphreys

Analyst in Science and Technology Policy




Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff
to congressional committees and Members of Congress. It operates solely at the behest of and under the direction of
Congress. Information in a CRS Report should not be relied upon for purposes other than public understanding of
information that has been provided by CRS to Members of Congress in connection with CRS’s institutional role.
CRS Reports, as a work of the United States Government, are not subject to copyright protection in the United
States. Any CRS Report may be reproduced and distributed in its entirety without permission from CRS. However,
as a CRS Report may include copyrighted images or material from a third party, you may need to obtain the
permission of the copyright holder if you wish to copy or otherwise use copyrighted material.

IN12235 · VERSION 2 · UPDATED