As enumerated by 6 CFR § 27.400(b), CVI includes, among other things:
- Security Vulnerability Assessments (SVAs);
- Site Security Plans (SSPs) and Alternate Security Programs (ASPs);
- CFATS records required to be retained under the regulation (e.g., training, security incidents, etc.);
- DHS-issued initial and final tier determination letters; and
- Inspection and audit findings.
CVI does not include, among other things, information developed and/or submitted to a government agency pursuant to a law or regulation other than CFATS (e.g., EPA RMP).