Security laws, regulations and guidelines directory

By CSO staff, CSO |  Security, privacy, regulation

What it covers: The CFATS regulation went into effect in 2007 and was developed as part of the Homeland Security Appropriations Act. It imposes federal security regulations for high-risk chemical facilities, requiring covered chemical facilities to prepare Security Vulnerability Assessments and to develop and implement Site Security Plans that include measures to satisfy the identified risk-based performance standards. The regulations are in place through October 2011, at which point they will either be made permanent or will be extended with tougher requirements. One requirement under consideration is the Inherently Safer Technologies provision that would require some facilities using, storing and manufacturing certain chemicals to possibly change processes and the chemicals used.

Who is affected: Chemical facilities, including manufacturing; storage and distribution; energy and utilities; agriculture and food; paints and coatings; explosives; mining; electronics; plastics; and healthcare.

Link to the law:

Key requirements/provisions: CFATS uses performance standards rather than prescriptive standards. These standards are "risk-based," meaning that security measures vary depending on each facility's determined level of risk.

To that end, DHS created a tiered system and assigned chemical facilities into one of four "risk" tiers, ranging from high (Tier 1) to low (Tier 4) risk. Tier assignment is based on an assessment of the potential consequences of a successful attack on assets associated with chemicals of interest.

Once assigned a tier, facilities must comply with 19 categories of risk-based performance standards:

1. Restrict Area Perimeter

2. Secure Site Assets

3. Screen and Control Access

4. Deter, Detect, Delay

5. Shipping, Receipt and Storage

6. Theft and Diversion

7. Sabotage

8. Cyber

9. Response

10. Monitoring

11. Training

12. Personnel Surety

13. Elevated Threats

14. Specific Threats, Vulnerabilities, Risks

15. Reporting of Significant Security Incidents

16. Significant Security Incidents and Suspicious Activities

17. Officials and Organization

18. Records

19. Address any performance standards the assistant secretary may specify

Source: Department of Homeland Security

Section three: Key state regulations (with broad impact in the US)

Massachusetts 201 CMR 17 (aka Mass Data Protection Law)

Originally published on CSO |  Click here to read the original story.
Join us:






Answers - Powered by ITworld

Join us:






Ask a Question