News

Updated CFATS Compliance Inspection Guidance

February 28, 2022

The Cybersecurity and Infrastructure Security Agency (CISA) recently updated internal guidance regarding additional areas of focus that its Chemical Security Inspectors may address during Chemical Facility Anti-Terrorism Standards (CFATS) Compliance Inspections. While the scope and level of detail may still vary from Inspector-to-Inspector, facilities can expect increased attention in the following areas:

  • Cyber – A more detailed review of the facility’s critical cyber systems, including those that may be used to handle, manage, or order Chemicals of Interest (COIs) or control and monitor Closed-Circuit Television (CCTV) camera and electronic access control systems. It is suggested that facilities have local and/or corporate IT representatives available or “on call” to answer questions.
  • Background Checks – Confirmation that “affected persons” have been screened for “terrorist ties.” If using Option 1, this may include checking the facility’s “affected persons” against the list of names uploaded to the Personnel Surety Portal in the Chemical Security Assessment Tool (CSAT).
  • Detection and Response – A review of COI inventory controls, process safeguards, alarming and monitoring equipment, and/or automated mitigation measures, as applicable, to verify that the facility can promptly detect and respond to a COI release or theft.

Facilities should still be prepared to address other CFATS compliance areas, including physical security measures (e.g., fencing, gates, etc.), recordkeeping, and training.

DHS Semiannual Regulatory Agenda

January 31, 2022

The Department of Homeland Security (DHS) published its Semiannual Regulatory Agenda on January 31, 2022, and updates to the Chemical Facility Anti-Terrorism Standards (CFATS) program was listed as long-term action.
 
In August 2014, the Cybersecurity and Infrastructure Security Agency (CISA) invited public comment on an Advance Notice of Proposed Rulemaking (ANPRM) for potential revisions to the CFATS regulations. In June 2020, CISA published a retrospective analysis of the CFATS program for public comment. In January 2021, CISA invited additional public comment through an ANPRM regarding the removal of certain explosive chemicals from CFATS.
 

As part of its long-term actions, CISA intends to address many of the subjects raised in both ANPRMs and the retrospective analysis, including potential updates to CFATS cybersecurity requirements and Appendix A to 6 CFR Part 27 (i.e., the CFATS Chemical of Interest List).

CFATS Penalty Adjustment

January 11, 2022

The Department of Homeland Security has adjusted the maximum civil penalty for a violation of the Chemical Facility Anti-Terrorism Standards (CFATS) from a penalty of not more than $35,905 for each day during which a violation continues to a penalty of not more than $38,139 for each day during which a violation continues.

Revisions to the Hazardous Materials Endorsement Application Process

December 27, 2021

The Transportation Security Administration (TSA) is revising the process by which individuals apply for a Hazardous Materials Endorsement (HME) for a Commercial Driver’s License. The three changes to the program are: (1) online renewal capability; (2) enrollment in Rap Back; and (3) expanding enrollment options.

  • Online Renewal Capability – TSA is implementing an online renewal capability for both active HME holders whose Security Threat Assessment (STA) has not yet expired as well as HME holders who have a recently expired STA.
  • Enrollment in Rap Back – TSA is revising its biometric fingerprint collection process in States serviced by TSA’s enrollment contractor to now enroll HME holders in Rap Back, a service provided by the Federal Bureau of Investigation (FBI). Once an individual is enrolled in Rap Back, TSA will not be required to collect new biometric fingerprints from the individual every five years or collect a fee from the individual for the submission of fingerprints to the FBI.
  • Expanding Enrollment Options – TSA is expanding enrollment options and the potential use of biographic and biometric (e.g., fingerprints, iris scans, and/or photo) information to facilitate the STA and allow use of the information for additional comparability determinations – such as allowing the HME applicant to obtain a Transportation Worker Identification Credential (TWIC) without requiring an additional background check.

Updated NTAS Bulletin

November 10, 2021

On November 10, 2021, the Secretary of Homeland Security issued an updated National Terrorism Advisory System (NTAS) Bulletin regarding the current heightened threat environment across the United States.

While the Department of Homeland Security is not aware of an imminent and credible threat to a specific location in the United States, the NTAS Bulletin notes that the United States continues to face threats posed by individuals and small groups engaged in violence, including Domestic Violent Extremists (DVEs) and those inspired or motivated by foreign terrorists and other malign foreign influences. Among other things, the NTAS Bulletin provides the following:

  • Following the 20th anniversary of the September 11th attacks and the U.S. withdrawal from Afghanistan, violent extremist media branches of al-Qa’ida and its affiliates, as well as the Islamic State of Iraq and as-Sham (ISIS), have celebrated perceived victories over the United States and encouraged the use of violence by their followers and supporters to further their objectives.
  • Historically, DVEs and individuals inspired by foreign terrorist organizations have targeted crowded commercial facilities, among other locations, which have at times caused mass causalities. The continued reopening of commercial facilities and the potential for ongoing societal and economic disruptions due to the pandemic, as well as mass gatherings associated with several dates of religious significance over the next few months, could provide increased targets of opportunity for violence.
  • Foreign and domestic threat actors, to include foreign intelligence services, foreign terrorist organizations, and DVEs, continue to introduce, amplify, and disseminate narratives online that promote violence, and have called for violence against commercial facilities, among other perceived ideological opponents.
  • Ideologically motivated violent extremists fueled by personal grievances and violent extremist ideological beliefs continue to derive inspiration from and obtain operational guidance, including regarding the use of improvised explosive devices and small arms, through the consumption of information shared in online forums.

Area Maritime Security Committee 2020 Annual Report

November 5, 2021

On November 2, 2021, the Office of Port and Facility Compliance (CG-FAC) published the Area Maritime Security Committee 2020 Annual Report.

The Annual Report highlighted challenges, suggestions, accomplishments, and best practices across the 43 Area Maritime Security Committees (AMSCs) in 2020. These included, among others, COVID-19 impacts, cybersecurity, Unmanned Aircraft Systems, and Homeport 2.0.

Continuing the Coast Guard’s focus on the cyber domain, a large portion of the Annual Report was focused on cybersecurity and related matters. The Annual Report noted “a noticeable lack of cyber expertise among some AMSC’s membership and regulated facility or vessel operators” and that a “copious amount of information on cyber is being shared, but there is a gap in the technical expertise to translate this information into actionable efforts.”

In response, the majority of AMSCs established cyber subcommittees to help understand and address cybersecurity risks. Additionally, Coast Guard Headquarters is developing cyber training for the field, including a Learning Management System-based module, a Stevens Institute course, and combined CG-FAC / Coast Guard Cyber Command (CGCYBER) / Office of Cyberspace Forces (CG-791) virtual and roadshow workshops.

Nonetheless, despite these efforts and the publication of Navigation and Vessel Inspection Circular (NVIC) 01-20: Guidelines for Addressing Cyber Risks at MTSA Regulated Facilities, the  future expectations in the cyber domain and how they will impact Maritime Transportation Security Act (MTSA)-regulated facilities remains a concern for many in industry and many AMSCs.