HOMELAND SECURITY ALERT: Appendix A Finalized! Is your company a “high-risk facility” under the Chemical Facility Anti-Terrorism Standards?

    1 December 2007

    Safeguarding chemical facilities has become a Department of Homeland Security (DHS) priority – indeed, a terrorist attack against any of our nation’s chemical facilities, or the theft of chemicals from such facilities, could result in a catastrophic event.  Due to the potential regional and/or national dangers inherent in chemical facilities, Congress statutorily mandated DHS to regulate their security.  As a result, DHS issued regulations which took effect on June 8, 2007, titled “Chemical Facility Anti-Terrorism Standards” (CFATS).  These regulations establish risk-based performance standards for the security of chemical facilities.  The term “chemical facility,” however, is somewhat misleading because myriad establishments that would not ordinarily be viewed by the public as chemical facilities will be covered by the regulations.  DHS has defined “chemical facility” as “any establishment that possesses or plans to possess, at any relevant point in time, a quantity of a chemical substance determined by the Secretary to be potentially dangerous or that meets other risk-related criterion identified by the Department.” As such, DHS also included a proposed Appendix A which contained a tentative list of Chemicals of Interest (COI) that will help companies determine whether their facility falls under the purview of these regulations. 

    What do companies need to know about Appendix A?  Ensuring that your company is in compliance with CFATS is vital as these regulations demonstrate that chemical facilities are part of the nation’s overall critical infrastructure.  Congress defines critical infrastructure as the “system and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health and safety, or any combination of those matters.”  Companies have great incentives to comply with CFATS – to promote safety for individuals and the population at large, and to avoid civil penalties and potential closure.  The latter can take place where there is a failure on the part of a facility to report the required information within 60 calendar days of the release of the revised regulations, which includes the finalized Appendix A.

    What changed? 

    The revised CFATS regulations were released on November 20, 2007.  The changes involve the list of COI and issues relating to same.  Appendix A lists COI and screening threshold quantities (STQs).  Using Appendix A as a guide, any facility that possesses (or later comes into possession of) any of the listed chemicals with certain STQs must complete and submit a Chemical Security Assessment Tool Top-Screen (Top-Screen).  The Top-Screen is a questionnaire that is designed to elicit information to help DHS determine whether a facility will be designated as high-risk and, therefore, regulated.  DHS also: (1) adjusted the STQs for certain COI; (2) defined the specific security issue(s) implicated by each COI; (3) added provisions that instruct facilities on how to calculate the quantities of COI that they have in their possession; and (4) removed three release-toxic chemicals (Toluene 2, 4-diisocyanate; Toluene 2, 6-diisocyanate; and Toluene diisocyanate (unspecified isomer)). Finally, there are some changes to the regulatory text with regard to how facilities should use the Appendix.   

    It is important to note that although the majority of chemicals listed in Appendix A appear substantially the same, the format of the Appendix has been restructured for a better understanding of what security issues relate to each specific chemical.  The proposed Appendix (issued in April 2007 with the initial regulations) listed a chemical and a corresponding Chemical Abstract Service number.  This final Appendix includes much more information about each chemical listed – specifically, commonly-used synonyms, security issue(s), an assigned STQ, and a minimum concentration provision for each chemical.  Unlike the initial proposal, the finalized Appendix A does not initiate an obligation to report to DHS when a facility has mere possession of an STQ of “any amount.”

    What does a Top-Screen entail? And what will DHS do with its answers?

    If a company has to complete a Top-Screen due to an STQ, it does not mean per se that the facility is a high-risk facility.  In fact, only after the Top-Screen process is completed will DHS make a determination as to whether a given facility presents a high level of security risk and therefore must comply with CFATS. Generally, the Top-Screen seeks information related to security and emergency preparedness issues, and may include questions such as:  

    • the nature of the business and activities conducted at the facility;

    • the names, nature, conditions of storage, quantities, volumes, properties, customers, major uses, and other pertinent information about specific chemicals or chemicals meeting a specific criteria;

    • information concerning facilities’ security, safety, and emergency response practices, operations, and procedures;

    • information regarding incidents, history, funding, and other matters bearing on the effectiveness of the security and response programs;

    • and other information as necessary.

    With such information, DHS will focus on four main security issues: (1) release (including toxic, flammable, and explosive); (2) theft and diversion (including chemical weapons and chemical weapon precursors, weapons of mass effect, and explosives and improvised explosive device precursors); (3) sabotage and contamination, and (4) critical value to government mission and national economy.  There is at least one security issue for each chemical listed in Appendix A. 

    Note also that DHS may directly notify facilities, or through a Federal Register notice, that they must complete and submit a Top-Screen within a specified period of time.

    What happens when a company is deemed a “covered facility?”

    CFATS defines a “covered facility” as “…a chemical facility determined by the Assistant Secretary to present high levels of security risk, or a facility that the Assistant Secretary has determined is presumptively high risk…”  Covered facilities will be required to prepare Security Vulnerability Assessments (SVA), which identify facility security vulnerabilities, and Site Security Plans (SSP), which identify measures that satisfy the identified risk-based performance standards.  SVAs and SSPs must be submitted to DHS for review and approval.  There will also be instances where the regulations will allow certain companies to submit an Alternate Security Program instead of a SVA and/or SSP.  A facility will be placed in one of four risk tiers with commensurate security obligations (tier placement will be protected information).  In addition, the regulations address inspections and audits, recordkeeping, and the protection of information that constitutes Chemical-terrorism Vulnerability Information.  Finally, the DHS has authority to compel compliance with CFATS. 

    What to do now?

    DHS promulgated these regulations as a means for federal officials to identify facilities and their chemicals that terrorists might target for attack or theft.  Action must be taken now by facility owners – a review of Appendix A should be conducted for chemicals that a facility may possess at or above the STQ for any applicable security issue.  If such STQ exists, the facility must complete and submit a Top-Screen within 60 calendar days of November 20, 2007.  

    It is also important to remember that DHS will periodically update the list of chemicals in Appendix A.  This will be done subject to notice and comment.  However, every time there is an update, a review of the regulations and Appendix A should be initiated to ensure continued compliance with CFATS.

    This Homeland Security Alert provides only general information and should not be relied upon as legal advice.