CISA updates CFATS program landing page, encourages facilities to maintain chemical security measures

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has updated the landing page of the Chemical Facility Anti-Terrorism Security (CFATS) program, after the Senate failed last week to pass legislation that reauthorizes the program, before its expiration date of July 27, 2023. The failure of the Senate to reauthorize the CFATS program has significant implications for chemical facility security measures, potentially putting these facilities at risk.

“As of July 28, 2023, Congress has allowed the statutory authority for the Chemical Facility Anti-Terrorism Standards (CFATS) program (6 CFR Part 27) to expire,” the CFATS announcement read. “Therefore, CISA cannot enforce compliance with the CFATS regulations at this time. This means that CISA will not require facilities to report their chemicals of interest or submit any information in CSAT, perform inspections, or provide CFATS compliance assistance, amongst other activities. CISA can no longer require facilities to implement their CFATS Site Security Plan or CFATS Alternative Security Program.”

CISA encourages facilities to maintain security measures while adding that if CFATS is reauthorized, CISA will follow up with facilities in the future.

The CFATS regulation applies to facilities across many industries – chemical manufacturing, storage and distribution, energy and utilities, agriculture and food, explosives, mining, electronics, plastics, colleges and universities, laboratories, paint and coatings, and healthcare and pharmaceuticals, among others. Chemical security is not a temporary issue. As threats evolve, CISA is committed to working with stakeholders to protect the nation’s highest-risk chemical infrastructure.

Chemical security expert Patrick Coyle observed in a Wednesday blog post that it “looks like the same announcement has been added to other existing CFATS web pages, with the exception of the CFATS Knowledge Center page which still has the original termination statement. On the limited number of CFATS web pages that I have checked, the program information that was available before last week’s program termination remains on those pages.”

Commenting on the expiration of the CFATS program, Brian Harrell, former Assistant Director for Infrastructure Security at CISA, which oversaw the Office of Chemical Security, wrote in a statement that while CFATS is a useful program that demonstrates chemical security risk-reduction, it also needs to be updated. “Very few updates have materialized from its original authorization in 2007. Every time we reauthorize a ‘clean’ bill, there’s an acknowledgment that we need to modernize the standards, but then DHS never does. 

“The CFATS cyber performance standards are lackluster, and it still does not sufficiently take into account emerging risks like insider threat or overhead concerns from drones, despite staff stretching loose interpretations of compliance,” according to Harrell. “I appreciate that CFATS works with industry to mitigate security risks, but in order to justify its monumental $1B historical price tag, it needs to mature with the times. Status quo is an eventual death sentence for security regulations where tactics and threat actors are constantly changing.” 

Harrell also pointed out that interestingly, the chemical sector loves this regulation because the standards never mature, nearly no fines are levied, and the costs to ‘comply’ never go up. “The very small handful of companies to ever receive a monetary fine are small businesses, which seems a bit backward. I do appreciate that most chemical facilities fall outside of CFATS regulation, so the voluntary program that we conceptualized back in 2019, is a huge feather in the modern-day cap,” he added.

Senator Rand Paul, a Republican from Kentucky, blocked the H.R. 4470 bill in the Senate that would re-authorize the U.S. program to address terrorism and site security, allowing it to expire at the end of last Thursday. Paul feared that the bill was being rushed through the Senate. He said there were no hearings about CFATS or whether it was effective. The bill was to extend the authorization of the program of the Department of Homeland Security (DHS) until July 27, 2025.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.