PIA for CFATS

Privacy Impact Assessment Update
for the

Chemical Facility Anti-Terrorism Standards
(CFATS) Program
DHS/NPPD/PIA-009
July 26, 2012
Contact Point
David Wulf
NPPD/IP/ISCD
(703) 603-4778
Reviewing Official
Mary Ellen Callahan
Chief Privacy Officer
Department of Homeland Security
(703) 235-0780

Abstract
The Department of Homeland Security (DHS), National Protection and Programs
Directorate (NPPD) is consolidating and updating the Privacy Impact Assessment (PIA) for the
Chemical Facility Anti-Terrorism Standards (CFATS) regulations, 6 CFR Part 27. This PIA
replaces the former PIAs for the Chemical Security Assessment Tool (CSAT) and CFATS, in
order to provide a unified analysis of the collection and use of personally identifiable information
(PII) as part of CFATS. CFATS is the DHS regulation that governs security at high-risk
chemical facilities and represents a national-level effort to minimize terrorism risk to such
facilities.

Overview
Section 550 of the Department of Homeland Security Appropriations Act of 2007, Pub.
L. No. 109-295 (―Section 550‖), authorizes DHS to regulate the security of high-risk chemical
facilities. NPPD implements this statutory authority through CFATS.
CFATS establishes a risk-based approach to identifying and securing chemical facilities
determined by NPPD to be ―high-risk.‖ To assist in making ―high-risk‖ determinations, NPPD
published Appendix A to the CFATS regulation. Appendix A identified over 300 chemicals of
interest (COI) and established a screening threshold quantity (STQ) for each chemical based on
the potential adverse consequences for human life or health if the chemicals were intentionally
released or detonated, stolen and converted into weapons, or mixed with other readily available
materials as a contaminate.
CFATS requires facilities in possession of any COI at or above the applicable STQ to
complete and submit to NPPD a Top-Screen questionnaire. After reviewing the facility
information1 submitted through the Top-Screen, and other available information, NPPD initially
determines which facilities are high-risk. NPPD then notifies each such facility, preliminarily
assigns each facility to a risk-based tier (Tiers 1–4)2, and requires each preliminary high-risk
facility to submit a Security Vulnerability Assessment (SVA).3 Tier 4 facilities may submit an
Alternative Security Program (ASP)4 in lieu of an SVA. Each facility still considered high-risk
1

This PIA differentiates between facility information (which does not contain PII) and PII.
Consistent with Section 550, the CFATS regulation follows a risk-based approach that allows NPPD to focus its
resources on high-risk chemical facilities in accordance with their specific level of risk. NPPD places facilities in
one of four risk-based tiers. Tiers range from Tier 1, which contains the highest-risk facilities, to Tier 4, which
contains the lowest-risk facilities.
3
The SVA is used to identify the critical assets at the facility and to evaluate the facility’s security vulnerabilities in
light of the security issues identified in its preliminary tier notification letter. The SVA provides more in-depth
information that allows NPPD to make a final decision as to whether a facility is high-risk and if it is, to assign a
final risk tier ranking to the facility.
4
A Tier 4 facility may submit an ASP in lieu of an SVA. Any facility may submit an ASP in lieu of a Site Security
Plan.
2