What it covers: The CFATS regulation went into effect in 2007 and was developed as part of the Homeland Security Appropriations Act. It imposes federal security regulations for high-risk chemical facilities, requiring covered chemical facilities to prepare Security Vulnerability Assessments and to develop and implement Site Security Plans that include measures to satisfy the identified risk-based performance standards. The regulations are in place through October 2011, at which point they will either be made permanent or will be extended with tougher requirements. One requirement under consideration is the Inherently Safer Technologies provision that would require some facilities using, storing and manufacturing certain chemicals to possibly change processes and the chemicals used.
Who is affected: Chemical facilities, including manufacturing; storage and distribution; energy and utilities; agriculture and food; paints and coatings; explosives; mining; electronics; plastics; and healthcare.
Key requirements/provisions: CFATS uses performance standards rather than prescriptive standards. These standards are "risk-based," meaning that security measures vary depending on each facility's determined level of risk.
To that end, DHS created a tiered system and assigned chemical facilities into one of four "risk" tiers, ranging from high (Tier 1) to low (Tier 4) risk. Tier assignment is based on an assessment of the potential consequences of a successful attack on assets associated with chemicals of interest.
Once assigned a tier, facilities must comply with 19 categories of risk-based performance standards:
1. Restrict Area Perimeter
2. Secure Site Assets
3. Screen and Control Access
4. Deter, Detect, Delay
5. Shipping, Receipt and Storage
6. Theft and Diversion
12. Personnel Surety
13. Elevated Threats
14. Specific Threats, Vulnerabilities, Risks
15. Reporting of Significant Security Incidents
16. Significant Security Incidents and Suspicious Activities
17. Officials and Organization
19. Address any performance standards the assistant secretary may specify
Source: Department of Homeland Security
Section three: Key state regulations (with broad impact in the US)
Massachusetts 201 CMR 17 (aka Mass Data Protection Law)