Following the terrorist attacks of September 11, 2001, the idea that terrorists would use a chemical facility as a vehicle of mass destruction became a real concern, and law enforcement reports suggested that terrorists were considering such actions.

Initially, the President assigned the nation’s chemical security responsibilities to the US Environmental Protection Agency, which already oversaw a great deal of activity at these sites. However, because of concern with a claim that the Clean Air Act “prevention of accidental release” authority did not give the EPA the authority to regulate against “intentional” acts of terror, primary oversight of chemical security was transferred to the newly created Department of Homeland Security (DHS). At the same time, the President requested specific regulatory authority from Congress.

In October 2006, the President signed a bill giving the DHS authority to regulate security at the nation’s high risk chemical facilities. In accordance with the new law, the DHS promulgated the Chemical Facility Anti-Terrorism Standards (CFATS). CFATS, which took effect June 8, 2007, is now the regulatory structure by which the chemical industry must live.

Sorting Into Tiers

Under CFATS, the DHS will divide chemical facilities into five groups based upon potential risk from a terrorist attack. There will be four “tiers” of facilities required to complete a security plan, with Tier 1 consisting of facilities with the highest risk. A fifth group – expected to include 90 percent of all chemical facilities – will have minimal reporting requirements.

Of the approximately 90,000 chemical facilities in the United States, the DHS expects 5,000 to 8,000 to be considered high enough risk to fall into one of the top four tiers. The DHS expects 200 facilities to qualify for Tier 1, 700 for Tier 2 and 2,500 for Tier 3. The key to tier determination is the likely magnitude of the effect of a terrorist attack. For example, the effect from an attack on an oil refinery in the Northeast would be much greater than that from an attack on an agricultural processing plant in Kansas.

Creating a Site Security Plan

The process will have four steps: Registration, Top Screen, Vulnerability Assessment, and Site Security Plan. The first three steps involve increasingly voluminous information requirements. The final step is the crafting of a security plan based on the information provided in the first three steps. When all the steps are complete, facilities will be inspected using the Site Security Plan they have developed for themselves and which the DHS has approved. The information provided by the facility and the security plan it creates based upon that information will be the standard by which it is judged.


CFATS allows the DHS to assess penalties of up to US$25,000 a day and to shut facilities down for noncompliance. Facilities will be considered in violation if they do not follow their Site Security Plan precisely; some officers in charge of compiling the information may be subject to indictment.

Getting the Right Team

The DHS will measure facilities’ compliance in accordance with how well they enforce their Site Security Plans. As a result, the process will be defined by the tension between providing a highly detailed catalog of risks and limiting the action and recordkeeping items in a Site Security Plan to those that pose a realistic risk to plant security. Including sophisticated security and regulatory personnel or consultants early in the process is a wise first step.