CFATS Update

As we approach the first anniversary of the expiration of the statutory authority for the U.S. Department of Homeland Security (DHS) Chemical Facility Anti-Terrorism Standards (CFATS) program on July 28^th, there is still no concrete path to reauthorization on the horizon. Read on for recent activity related to CFATS.

Reauthorization

DHS and industry groups such as the American Chemistry Council (ACC) are continuing to push for the CFATS program’s reauthorization. There have been attempts at reauthorization, including a bipartisan amendment to the 2025 National Defense Authorization Act (NDAA) in mid-June 2024 that would have reauthorized CFATS; however, the amendment failed to reach the floor in the house. Two Senate committee chairs, Environment and Public Works Committee and Homeland Security and Governmental Affairs Committee, are currently looking at amendments to the 2025 defense bill and other ways to reauthorize CFATS. Funding was maintained in the fiscal year 2024 budget, meaning that funding is available if/when the program is reauthorized. In July, DHS hosted virtual Chemical Security Seminars in lieu of the in-person Chemical Security Summit held in years past. CFATS reauthorization continues to have strong bipartisan support in both houses.

CSAT Breach

According to DHS’s website, the Chemical Security Assessment Tool (CSAT) portal was the “target of a cybersecurity intrusion by a malicious actor from January 23-26, 2024.”  During the CFATS program’s tenure, facilities subject to CFATS were required to submit information to DHS via the CSAT portal including Top-Screen surveys, Security Vulnerability Assessments, Site Security Plans, and Personnel Surety Program (PSP) submissions. The PSP submissions included personally identifiable information (PII) for individuals with access to areas where regulated chemicals are stored at covered facilities; PII included, at a minimum, first and last name, date of birth, and gender or country of citizenship. The PSP screened individuals’ PII against the Terrorist Screening Database (TSDB) to alert DHS to individuals with known terrorism ties seeking access to chemicals of interest (COI).

The CSAT portal has been inaccessible since the program’s statutory authorization expired in July 2023. DHS launched a thorough investigation once the intrusion was discovered; that investigation turned up no evidence of exfiltration of data but revealed that the intrusion may have resulted in unauthorized access of information submitted to the portal as well as CSAT user information. In late June 2024, DHS issued notifications to participant facilities about the breach. Out of an abundance of caution, DHS has recommended the following actions:

• CSAT users should change passwords for any other business or personal accounts that use the same password as their most recent CSAT portal login; and
• Individuals whose PII was submitted through the PSP should be notified of the incident. Because the PII submitted did not include contact information, DHS is unable to contact individuals directly. DHS provided a template letter, which can be found on DHS’s website linked above, for facilities to provide to affected individuals on a voluntary basis. DHS plans to set up a call center for impacted individuals and will provide identity protection for impacted individuals, however neither are available at this time.

Where do we go from here?

As reiterated during the Chemical Security Seminars in July, the threat to chemical facilities did not expire with the CFATS program authorization. During the Seminar, Secretary Alejandro Mayorkas and others shared about recent incidents where nefarious actors attempted to or were successful in obtaining access to dangerous chemicals. Facilities previously regulated under the CFATS program are encouraged to maintain their security posture to the extent possible and continue to take advantage of other DHS resources, including the ChemLock program. At this time, there is no way for facilities to screen employees against the TSDB as previously required by Risk Based Performance Standard (RBSP) 12.4 of the CFATS program.

With the Presidential election looming on the horizon, it seems unlikely that CFATS will be reauthorized in the near future, but anything can happen. Stay tuned for more, and feel free to reach out to Lizzie Smith at lsmith@all4inc.com with any questions.