CFATS: The new acronym to know

SSN Staff  - 
Friday, February 1, 2008

Six years into the War on Terrorism, facilities that either manufacture or store chemicals in the United States remain among the most significant potential targets, if only because they have the potential to become what some have referred to as "stationary weapons of mass destruction." A new federal regulation, finalized at the end of 2007, seeks to strengthen and standardize security at such facilities. The law, known as the Chemical Facilities Anti-Terrorism Standards or "CFATS," may present security integrators with excellent sales opportunities.
First some background. According to federal estimates, there are more than 15,000 facilities in the United States that manufacture, store or use chemicals in quantities that are potentially dangerous to the public. These facilities range from chemical producers to product manufacturers using chemicals in manufacturing and even include farms with large chemical stores for fertilizer. Many of these "facilities" are located in densely populated urban areas. The federal government estimates that a release of chemicals in nearly half of these facilities would affect thousands, while a release at more than 100 specific facilities would affect more than one million people.
Thus, these facilities present an attractive target for terrorists because they offer the most devastation for the least effort, affording the greatest potential for mass casualties. According to critics, these facilities remain among the least well-secured properties in the United States. Some have called our country's chemical facilities "stationary weapons of mass destruction." Indeed, the Department of Homeland Security believes that about 7,000 of these facilities are at high risk for an accident or a terrorist attack.
Despite the heightened sensitivity to terrorism and the potential for catastrophic damage that such facilities pose, the federal government has left the security of chemical plants largely unregulated. Until recently, the current administration has relied on voluntary security efforts as well as a patchwork of state and local laws. While some owners and operators have voluntarily taken measures to better safeguard their facilities, critics contend that others have done relatively little to upgrade security at their facilities.
Security analysts have consistently expressed concerns about the effect of chemical exposure resulting from a wide range of possible scenarios, including a direct attack on a chemical facility, sabotage or the theft of chemicals by terrorists for use in subsequent terror attacks. As an example, these analysts point to several occasions in which terrorists in Iraq have attempted to steal chlorine. Closer to home, evidence obtained in the federal trial held in connection with the 1993 bombing of the World Trade Center included the admission by an accused terrorist that he stole cyanide from his chemical company employer, intending to release the deadly chemical in the ventilation system of an office building.
CFATS, the recently enacted regulation, requires facilities using or storing any of 300 potentially hazardous chemicals, to submit an on-line risk assessment to DHS. DHS will use the information to determine whether the facility presents a "high level of security risk." If DHS determines the facility presents such a risk, the owner or operator must then comply with the substantive provisions of the regulation, which require, among other things, that high-risk facilities submit a Security Vulnerability Assessment and a Site Security Plan or an Alternative Security Plan. DHS began implementing the regulation last year targeting 300 to 400 facilities and is expected to continue its activities through 2009 when CFATS expires. (Congress is expected to pass more comprehensive legislation before that time.)
Perhaps most importantly for integrators of physical security, thousands of facilities are likely to be subject to the regulation's substantive provisions, requiring more stringent security measures for physical and cyber security. Among other things, owners and operators will be required to better secure their facilities' perimeters and protect their critical targets through some combination of fencing, barricades or electronic detection. Owners and operators will also be required to institute measures to deter theft, both internally and externally, and to prevent sabotage, all of which may create the need for additional and improved security products and services, including fencing, lighting, and access control and security systems.
Notably, CFATS does not preempt existing state laws except to the extent that those laws impede the federal regulation - an unlikely situation. Thus, if an applicable state law requires a greater degree of security than the federal standard, owners and operators will be held not to the CFATS standard, but to the higher standard imposed by the state law.
Although the regulation requires DHS to provide technical assistance and direction to facilities seeking to comply with the newly enacted law, I strongly suspect there will be plenty of opportunity for security integrators to provide assistance and direction. Integrators, installers and security professionals should become fluent in the CFATS regulations and applicable state laws and reach out to these facilities as soon as possible. It's in the best interests of both your business and our country.

Eric Pritchard is a partner in the law firm of Kleinbard, Bell & Brecker where he regularly represents buyers and sellers in the electronic security industry. Eric can be reached by at