Safety and Compliance: CFATS Fine Averted

February 18, 2023

CASE OVERVIEW:

There are roughly 4,000 sites in the United States regulated under the Chemical Facility Anti-Terrorism Standards or CFATS (§ 6 CFR Part 27). This program identifies high-risk facilities that are “required to meet and maintain performance-based security standards appropriate to their unique security challenges” determined by the type and quantity of hazardous chemicals on their premises. CISA (Cybersecurity & Infrastructure Security Agency) must approve a detailed security plan, which is implemented and then periodically reviewed. Compliance with the CFATS regulations may be the last line of defense to protect the safety and wellbeing of a community from a serious terrorist incident.

Contrary to a typical case study, the name, location, and other specifics of the subject company will not be disclosed because of the classified and sensitive nature of this information.

CHALLENGE:

The company’s facility was determined to be in one of the 4 high-risk tiers because of the presence in threshold quantities of two chemicals: ammonia (anhydrous) and another high-risk chemical at their site; 2 of the 300 chemicals considered COI or “chemicals of interest” in the CFATS regulation. A safeguard in the regulation was created to help companies ensure compliance with their approved plan by way of §27.225 (e) which states that, “A covered facility must conduct an annual audit of its compliance with its Site Security Plan.” CISA provides a very simple template
that can be used by facilities to record this annual audit activity.

1. The facility security officer was assigned this compliance task, although unfortunately he had neither the expertise nor the resources to properly conduct this audit and evaluation of compliance.

2. The FSO was applying the risk-based performance standards requirements for a lower tier than what CISA had assigned the facility and the security plan failed to account for one of two chemicals for which the facility was tiered.

3. Self-audit methodology complacency resulted in checked boxes rather than a trustworthy and reliable verification of compliance, which went undetected because of curtailed on-site CISA inspections during the height of the COVID pandemic. This lack of rigor allowed vulnerabilities, non-compliant conditions and potential for serious consequences to persist.

4. Aside from the safety, security, and potential public relations issues, the company was exposed to severe financial risk because a non-compliant facility can be fined up to $25,000 per day!

SOLUTION:

Business Protection Specialists (BPS) was consulting for the company on a security plan independent of any CFATS compliance requirements. However, during the course of some discussions, it became apparent that the company was understating the required compliance level and applicable risk-based performance standards, as well as detailed processes necessary under each. Upon learning of this egregious failure, the FSO (or Facility Security Officer) immediately hired BPS experts to conduct a comprehensive audit using a thorough methodology BPS developed to reduce client risk of non-compliance. Our audit uncovered major deficiencies with the facility’s site security plan which had been overlooked for 15 months. We assisted the company in correcting the issues, establishing a more robust audit program, and communicating the updated plan to the regulators. While the client was committed to regulatory compliance, they did not even recognize that there was a significant problem. BPS was able to assist the site in achieving their goal by providing expertise, audit methodology and recommendations to reduce the risk of non-compliance and significant financial exposure. The company avoided what could have been a potential multi-million dollar fine.

CONCLUSION:

In addition to an annual audit, CFATS facilities are required to recertify Top Screens, SVA’s and SSP’s every two or three years, depending on the risk level of the regulated facility. BPS’ comprehensive audit protocol and application of best risk assessment practices should be conducted at least once every recertification cycle to reduce the risk of non-compliance and fines. Preparation and maintenance of records created by this rigorous audit will assist companies with their compliance, but also serve as a change management tool in the event of
inevitable FSO turnover.

BPS is committed to actively partnering together to ensure the security, safety, and resilience of our critical chemical facilities.