The Cybersecurity and Infrastructure Security Agency (CISA) recently updated internal guidance regarding additional areas of focus that its Chemical Security Inspectors may address during Chemical Facility Anti-Terrorism Standards (CFATS) Compliance Inspections. While the scope and level of detail may still vary from Inspector-to-Inspector, facilities can expect increased attention in the following areas:
- Cyber – A more detailed review of the facility’s critical cyber systems, including those that may be used to handle, manage, or order Chemicals of Interest (COIs) or control and monitor Closed-Circuit Television (CCTV) camera and electronic access control systems. It is suggested that facilities have local and/or corporate IT representatives available or “on call” to answer questions.
- Background Checks – Confirmation that “affected persons” have been screened for “terrorist ties.” If using Option 1, this may include checking the facility’s “affected persons” against the list of names uploaded to the Personnel Surety Portal in the Chemical Security Assessment Tool (CSAT).
- Detection and Response – A review of COI inventory controls, process safeguards, alarming and monitoring equipment, and/or automated mitigation measures, as applicable, to verify that the facility can promptly detect and respond to a COI release or theft.
Facilities should still be prepared to address other CFATS compliance areas, including physical security measures (e.g., fencing, gates, etc.), recordkeeping, and training.