There is in the Department a Chemical Facility Anti-Terrorism Standards Program, which shall be located in the Cybersecurity and Infrastructure Security Agency.
In carrying out the Chemical Facility Anti-Terrorism Standards Program, the Secretary shall—
(A) identify—
(i) chemical facilities of interest; and
(ii) covered chemical facilities;
(B) require each chemical facility of interest to submit a Top-Screen and any other information the Secretary determines necessary to enable the Department to assess the security risks associated with the facility;
(C) establish risk-based performance standards designed to address high levels of security risk at covered chemical facilities; and
(D) require each covered chemical facility to—
(i) submit a security vulnerability assessment; and
(ii) develop, submit, and implement a site security plan.
A facility, in developing a site security plan as required under subsection (a), shall include security measures that, in combination, appropriately address the security vulnerability assessment and the risk-based performance standards for security for the facility.
To the greatest extent practicable, a facility's security vulnerability assessment and site security plan shall include input from at least 1 facility employee and, where applicable, 1 employee representative from the bargaining agent at that facility, each of whom possesses, in the determination of the facility's security officer, relevant knowledge, experience, training, or education as pertains to matters of site security.
Except as provided in paragraph (4), the Secretary shall review and approve or disapprove each site security plan submitted pursuant to subsection (a).
The Secretary—
(i) may not disapprove a site security plan based on the presence or absence of a particular security measure; and
(ii) shall disapprove a site security plan if the plan fails to satisfy the risk-based performance standards established pursuant to subsection (a)(2)(C).
The Secretary may approve an alternative security program established by a private sector entity or a Federal, State, or local authority or under other applicable laws, if the Secretary determines that the requirements of the program meet the requirements under this section.
If the requirements of an alternative security program do not meet the requirements under this section, the Secretary may recommend additional security measures to the program that will enable the Secretary to approve the program.
A covered chemical facility may satisfy the site security plan requirement under subsection (a) by adopting an alternative security program that the Secretary has—
(i) reviewed and approved under subparagraph (A); and
(ii) determined to be appropriate for the operations and security concerns of the covered chemical facility.
In approving or disapproving a site security plan under this subsection, the Secretary shall employ the risk assessment policies and procedures developed under this subchapter.
In the case of a covered chemical facility for which the Secretary approved a site security plan before December 18, 2014, the Secretary may not require the facility to resubmit the site security plan solely by reason of the enactment of this subchapter.
A covered chemical facility assigned to tier 3 or 4 may meet the requirement to develop and submit a site security plan under subsection (a)(2)(D) by developing and submitting to the Secretary—
(i) a site security plan and the certification described in subparagraph (C); or
(ii) a site security plan in conformance with a template authorized under subparagraph (H).
Not later than 180 days after December 18, 2014, the Secretary shall issue guidance for expedited approval facilities that identifies specific security measures that are sufficient to meet the risk-based performance standards.
If a security measure in the site security plan of an expedited approval facility materially deviates from a security measure in the guidance for expedited approval facilities, the site security plan shall include an explanation of how such security measure meets the risk-based performance standards.
During the period before the Secretary has met the deadline under clause (i), in developing and issuing, or amending, the guidance for expedited approval facilities under this subparagraph and in collecting information from expedited approval facilities, the Secretary shall not be subject to—
(I) section 553 of title 5;
(II) subchapter I of chapter 35 of title 44; or
(III) section 627(b) of this title.
The owner or operator of an expedited approval facility shall submit to the Secretary a certification, signed under penalty of perjury, that—
(i) the owner or operator is familiar with the requirements of this subchapter and part 27 of title 6, Code of Federal Regulations, or any successor thereto, and the site security plan being submitted;
(ii) the site security plan includes the security measures required by subsection (b);
(iii)(I) the security measures in the site security plan do not materially deviate from the guidance for expedited approval facilities except where indicated in the site security plan;
(II) any deviations from the guidance for expedited approval facilities in the site security plan meet the risk-based performance standards for the tier to which the facility is assigned; and
(III) the owner or operator has provided an explanation of how the site security plan meets the risk-based performance standards for any material deviation;
(iv) the owner or operator has visited, examined, documented, and verified that the expedited approval facility meets the criteria set forth in the site security plan;
(v) the expedited approval facility has implemented all of the required performance measures outlined in the site security plan or set out planned measures that will be implemented within a reasonable time period stated in the site security plan;
(vi) each individual responsible for implementing the site security plan has been made aware of the requirements relevant to the individual's responsibility contained in the site security plan and has demonstrated competency to carry out those requirements;
(vii) the owner or operator has committed, or, in the case of planned measures will commit, the necessary resources to fully implement the site security plan; and
(viii) the planned measures include an adequate procedure for addressing events beyond the control of the owner or operator in implementing any planned measures.
Not later than 120 days after the date described in clause (ii), the owner or operator of an expedited approval facility shall submit to the Secretary the site security plan and the certification described in subparagraph (C).
The date described in this clause is—
(I) for an expedited approval facility that was assigned to tier 3 or 4 under existing CFATS regulations before December 18, 2014, the date that is 210 days after December 18, 2014; and
(II) for any expedited approval facility not described in subclause (I), the later of—
(aa) the date on which the expedited approval facility is assigned to tier 3 or 4 under subsection (e)(2)(A); or
(bb) the date that is 210 days after December 18, 2014.
An owner or operator of an expedited approval facility shall notify the Secretary of the intent of the owner or operator to certify the site security plan for the expedited approval facility not later than 30 days before the date on which the owner or operator submits the site security plan and certification described in subparagraph (C).
For an expedited approval facility submitting a site security plan and certification in accordance with subparagraphs (A), (B), (C), and (D)—
(I) the expedited approval facility shall comply with all of the requirements of its site security plan; and
(II) the Secretary—
(aa) except as provided in subparagraph (G), may not disapprove the site security plan; and
(bb) may audit and inspect the expedited approval facility under subsection (d) to verify compliance with its site security plan.
If the Secretary determines an expedited approval facility is not in compliance with the requirements of the site security plan or is otherwise in violation of this subchapter, the Secretary may enforce compliance in accordance with section 624 of this title.
If the owner or operator of an expedited approval facility amends a site security plan submitted under subparagraph (A), the owner or operator shall submit the amended site security plan and a certification relating to the amended site security plan that contains the information described in subparagraph (C).
For purposes of this clause, an amendment to a site security plan includes any technical amendment to the site security plan.
The owner or operator of an expedited approval facility shall amend the site security plan if—
(I) there is a change in the design, construction, operation, or maintenance of the expedited approval facility that affects the site security plan;
(II) the Secretary requires additional security measures or suspends a certification and recommends additional security measures under subparagraph (G); or
(III) the owner or operator receives notice from the Secretary of a change in tiering under subsection (e)(3).
An amended site security plan and certification shall be submitted under clause (i)—
(I) in the case of a change in design, construction, operation, or maintenance of the expedited approval facility that affects the security plan, not later than 120 days after the date on which the change in design, construction, operation, or maintenance occurred;
(II) in the case of the Secretary requiring additional security measures or suspending a certification and recommending additional security measures under subparagraph (G), not later than 120 days after the date on which the owner or operator receives notice of the requirement for additional security measures or suspension of the certification and recommendation of additional security measures; and
(III) in the case of a change in tiering, not later than 120 days after the date on which the owner or operator receives notice under subsection (e)(3).
Notwithstanding subparagraph (A) or (E), the Secretary may suspend the authority of a covered chemical facility to certify a site security plan if the Secretary—
(I) determines the certified site security plan or an amended site security plan is facially deficient; and
(II) not later than 100 days after the date on which the Secretary receives the site security plan and certification, provides the covered chemical facility with written notification that the site security plan is facially deficient, including a clear explanation of each deficiency in the site security plan.
If, during or after a compliance inspection of an expedited approval facility, the Secretary determines that planned or implemented security measures in the site security plan of the facility are insufficient to meet the risk-based performance standards based on misrepresentation, omission, or an inadequate description of the site, the Secretary may—
(aa) require additional security measures; or
(bb) suspend the certification of the facility.
If the Secretary suspends the certification of an expedited approval facility under subclause (I), the Secretary shall—
(aa) recommend specific additional security measures that, if made part of the site security plan by the facility, would enable the Secretary to approve the site security plan; and
(bb) provide the facility an opportunity to submit a new or modified site security plan and certification under subparagraph (A).
If an expedited approval facility determines to submit a new or modified site security plan and certification as authorized under subclause (II)(bb)—
(aa) not later than 90 days after the date on which the facility receives recommendations under subclause (II)(aa), the facility shall submit the new or modified plan and certification; and
(bb) not later than 45 days after the date on which the Secretary receives the new or modified plan under item (aa), the Secretary shall review the plan and determine whether the plan is facially deficient.
If an expedited approval facility does not agree to include in its site security plan specific additional security measures recommended by the Secretary under subclause (II)(aa), or does not submit a new or modified site security plan in accordance with subclause (III), the Secretary may revoke the certification of the facility by issuing an order under section 624(a)(1)(B) of this title.
If the Secretary revokes the certification of an expedited approval facility under item (aa) by issuing an order under section 624(a)(1)(B) of this title—
(AA) the order shall require the owner or operator of the facility to submit a site security plan or alternative security program for review by the Secretary review 1 under subsection (c)(1); and
(BB) the facility shall no longer be eligible to certify a site security plan under this paragraph.
If the Secretary determines that a new or modified site security plan submitted by an expedited approval facility under subclause (III) is facially deficient—
(aa) not later than 120 days after the date of the determination, the owner or operator of the facility shall submit a site security plan or alternative security program for review by the Secretary under subsection (c)(1); and
(bb) the facility shall no longer be eligible to certify a site security plan under this paragraph.
The Secretary may develop prescriptive site security plan templates with specific security measures to meet the risk-based performance standards under subsection (a)(2)(C) for adoption and certification by a covered chemical facility assigned to tier 3 or 4 in lieu of developing and certifying its own plan.
During the period before the Secretary has met the deadline under subparagraph (B)(i),2 in developing and issuing, or amending, the site security plan templates under this subparagraph, in issuing guidance for implementation of the templates, and in collecting information from expedited approval facilities, the Secretary shall not be subject to—
(I) section 553 of title 5;
(II) subchapter I of chapter 35 of title 44; or
(III) section 627(b) of this title.
Nothing in this subparagraph shall be construed to prevent a covered chemical facility from developing and certifying its own security plan in accordance with subparagraph (A).
Not later than 18 months after December 18, 2014, the Secretary shall take any appropriate action necessary for a full evaluation of the expedited approval program authorized under this paragraph, including conducting an appropriate number of inspections, as authorized under subsection (d), of expedited approval facilities.
Not later than 18 months after December 18, 2014, the Secretary shall submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security and the Committee on Energy and Commerce of the House of Representatives a report that contains—
(I)(aa) the number of eligible facilities using the expedited approval program authorized under this paragraph; and
(bb) the number of facilities that are eligible for the expedited approval program but are using the standard process for developing and submitting a site security plan under subsection (a)(2)(D);
(II) any costs and efficiencies associated with the expedited approval program;
(III) the impact of the expedited approval program on the backlog for site security plan approval and authorization inspections;
(IV) an assessment of the ability of expedited approval facilities to submit facially sufficient site security plans;
(V) an assessment of any impact of the expedited approval program on the security of chemical facilities; and
(VI) a recommendation by the Secretary on the frequency of compliance inspections that may be required for expedited approval facilities.
In this paragraph—
(i) the term "nondepartmental"—
(I) with respect to personnel, means personnel that is not employed by the Department; and
(II) with respect to an entity, means an entity that is not a component or other authority of the Department; and
(ii) the term "nongovernmental"—
(I) with respect to personnel, means personnel that is not employed by the Federal Government; and
(II) with respect to an entity, means an entity that is not an agency, department, or other authority of the Federal Government.
The Secretary shall conduct audits or inspections under this subchapter using—
(i) employees of the Department;
(ii) nondepartmental or nongovernmental personnel approved by the Secretary; or
(iii) a combination of individuals described in clauses (i) and (ii).
The Secretary may use nongovernmental personnel to provide administrative and logistical services in support of audits and inspections under this subchapter.
Any audit or inspection conducted by an individual employed by a nondepartmental or nongovernmental entity shall be assigned in coordination with a regional supervisor with responsibility for supervising inspectors within the Infrastructure Security Compliance Division of the Department for the region in which the audit or inspection is to be conducted.
While an individual employed by a nondepartmental or nongovernmental entity is in the field conducting an audit or inspection under this subsection, the individual shall report to the regional supervisor with responsibility for supervising inspectors within the Infrastructure Security Compliance Division of the Department for the region in which the individual is operating.
The authority to approve a site security plan under subsection (c) or determine if a covered chemical facility is in compliance with an approved site security plan shall be exercised solely by the Secretary or a designee of the Secretary within the Department.
The Secretary shall prescribe standards for the training and retraining of each individual used by the Department as an auditor or inspector, including each individual employed by the Department and all nondepartmental or nongovernmental personnel, including—
(i) minimum training requirements for new auditors and inspectors;
(ii) retraining requirements;
(iii) minimum education and experience levels;
(iv) the submission of information as required by the Secretary to enable determination of whether the auditor or inspector has a conflict of interest;
(v) the proper certification or certifications necessary to handle chemical-terrorism vulnerability information (as defined in section 27.105 of title 6, Code of Federal Regulations, or any successor thereto);
(vi) the reporting of any issue of non-compliance with this section to the Secretary within 24 hours; and
(vii) any additional qualifications for fitness of duty as the Secretary may require.
If the Secretary arranges for an audit or inspection under subparagraph (B) to be carried out by a nongovernmental entity, the Secretary shall—
(i) prescribe standards for the qualification of the individuals who carry out such audits and inspections that are commensurate with the standards for similar Government auditors or inspectors; and
(ii) ensure that any duties carried out by a nongovernmental entity are not inherently governmental functions.
For purposes of this subchapter, the Secretary shall establish and carry out a Personnel Surety Program that—
(i) does not require an owner or operator of a covered chemical facility that voluntarily participates in the program to submit information about an individual more than 1 time;
(ii) provides a participating owner or operator of a covered chemical facility with relevant information about an individual based on vetting the individual against the terrorist screening database, to the extent that such feedback is necessary for the facility to be in compliance with regulations promulgated under this subchapter; and
(iii) provides redress to an individual—
(I) whose information was vetted against the terrorist screening database under the program; and
(II) who believes that the personally identifiable information submitted to the Department for such vetting by a covered chemical facility, or its designated representative, was inaccurate.
To the extent that a risk-based performance standard established under subsection (a) requires identifying individuals with ties to terrorism—
(i) a covered chemical facility—
(I) may satisfy its obligation under the standard by using any Federal screening program that periodically vets individuals against the terrorist screening database, or any successor program, including the Personnel Surety Program established under subparagraph (A); and
(II) shall—
(aa) accept a credential from a Federal screening program described in subclause (I) if an individual who is required to be screened presents such a credential; and
(bb) address in its site security plan or alternative security program the measures it will take to verify that a credential or documentation from a Federal screening program described in subclause (I) is current;
(ii) visual inspection shall be sufficient to meet the requirement under clause (i)(II)(bb), but the facility should consider other means of verification, consistent with the facility's assessment of the threat posed by acceptance of such credentials; and
(iii) the Secretary may not require a covered chemical facility to submit any information about an individual unless the individual—
(I) is to be vetted under the Personnel Surety Program; or
(II) has been identified as presenting a terrorism security risk.
Nothing in this section shall supersede the ability—
(i) of a facility to maintain its own policies regarding the access of individuals to restricted areas or critical assets; or
(ii) of an employing facility and a bargaining agent, where applicable, to negotiate as to how the results of a background check may be used by the facility with respect to employment status.
The Secretary shall share with the owner or operator of a covered chemical facility any information that the owner or operator needs to comply with this section.
In carrying out this subchapter, the Secretary shall consult with the heads of other Federal agencies, States and political subdivisions thereof, relevant business associations, and public and private labor organizations to identify all chemical facilities of interest.
For purposes of this subchapter, the Secretary shall develop a security risk assessment approach and corresponding tiering methodology for covered chemical facilities that incorporates the relevant elements of risk, including threat, vulnerability, and consequence.
The criteria for determining the security risk of terrorism associated with a covered chemical facility shall take into account—
(i) relevant threat information;
(ii) potential severe economic consequences and the potential loss of human life in the event of the facility being subject to attack, compromise, infiltration, or exploitation by terrorists; and
(iii) vulnerability of the facility to attack, compromise, infiltration, or exploitation by terrorists.
The Secretary shall document the basis for each instance in which—
(i) tiering for a covered chemical facility is changed; or
(ii) a covered chemical facility is determined to no longer be subject to the requirements under this subchapter.
The records maintained under subparagraph (A) shall include information on whether and how the Secretary confirmed the information that was the basis for the change or determination described in subparagraph (A).
Not later than 6 months after December 18, 2014, and not less frequently than once every 6 months thereafter, the Secretary shall submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security and the Committee on Energy and Commerce of the House of Representatives a report that includes, for the period covered by the report—
(A) the number of covered chemical facilities in the United States;
(B) information—
(i) describing—
(I) the number of instances in which the Secretary—
(aa) placed a covered chemical facility in a lower risk tier; or
(bb) determined that a facility that had previously met the criteria for a covered chemical facility under section 621(3) of this title no longer met the criteria; and
(II) the basis, in summary form, for each action or determination under subclause (I); and
(ii) that is provided in a sufficiently anonymized form to ensure that the information does not identify any specific facility or company as the source of the information when viewed alone or in combination with other public information;
(C) the average number of days spent reviewing site security or an alternative security program for a covered chemical facility prior to approval;
(D) the number of covered chemical facilities inspected;
(E) the average number of covered chemical facilities inspected per inspector; and
(F) any other information that the Secretary determines will be helpful to Congress in evaluating the performance of the Chemical Facility Anti-Terrorism Standards Program.
(Pub. L. 107–296, title XXI, §2102, as added Pub. L. 113–254, §2(a), Dec. 18, 2014, 128 Stat. 2900; amended Pub. L. 115–278, §2(g)(8)(A), Nov. 16, 2018, 132 Stat. 4180.)
For termination of section by section 5 of Pub. L. 113–254, see Effective and Termination Dates note below.
2018—Subsec. (a)(1). Pub. L. 115–278 inserted before period at end ", which shall be located in the Cybersecurity and Infrastructure Security Agency".
Section effective on the date that is 30 days after Dec. 18, 2014, and authority provided under this section to terminate on July 27, 2023, see sections 4(a) and 5 of Pub. L. 113–254, set out as notes under section 621 of this title.