ACA and the Paint & Coatings Industry: Enhancing Chemical Security and CFATS

Read below or download now.

The “Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2004,” authorized the U.S. Department of Homeland Security (DHS) to develop Chemical Facility Anti-Terrorism Standards (CFATS). The DHS CFATS regulations were issued as a final rule in November 2007. The CFATS program focuses on preventing chemicals of interest from being stolen, diverted, sabotaged or deliberately released by terrorists or other bad actors.

Under CFATS, chemical facilities possessing more than a threshold amount of specific explosive, toxic, or other “chemicals of interest” determined by DHS, are required to complete a “top-screen,” notifying DHS that they possess such chemicals on site. Once a facility submits its top-screen, DHS can direct the facility to submit a Security Vulnerability Assessment (SVA). The SVA provides the basis for DHS to assign the facility to one of four tiers: Tiers 1 and 2 being the highest risk, and Tiers 3 and 4 being the lowest. Tier assignment triggers a requirement to submit a Site Security Plan (SSP) or an Alternative Security Plan (ASP) to DHS for authorization and approval.

CFATS currently covers approximately 3,400 chemical facilities, which have been assessed to present a risk of terrorist attack or exploitation.

DHS implements the CFATS program under a variety of short-term authorizations by Congress. Authorization for the current CFATS standards would sunset in January 2019, if Congress does not reauthorize the program. Congress is currently considering a multi-year reauthorization for the CFATS program, but at this writing, reauthorization legislation has yet to be introduced. In June 2018, the Senate Committee on Homeland Security and Governmental Affairs, as well as the House Energy and Water Subcommittee on Environment, held hearings on CFATS and sought industry input for legislative “fixes” in the reauthorization text. Notably, in the last Congressional reauthorization, legislation improved management practices and whistleblower protections, and simplified reporting and information sharing; addressed some of the major impediments to completing site security plans and full implementation of the program; clarified that covered facilities may meet site security plans through alternate security plans approved by DHS and provided an option to use third parties as inspectors; improved Congressional oversight regarding tiering methodology; and ensured better coordination with state and local officials.

The American Coatings Association (ACA), which represents the more than $28 billion paint and coatings manufacturing industry in the United States, operating in all 50 states, and employing over 60,000 people engaged in the manufacture and distribution of its products, strongly encourages multi-year reauthorization of the CFATS program. ACA supports the safe handling and use of chemicals, and the structure which CFATS provides to enable that in practice. ACA is also a longstanding member of the Chemical Sector Coordinating Council (CSCC). Organized by DHS, the CSCC expands communication between industry and DHS. Through the CSCC, ACA has advised DHS on how it might develop more effective solutions to implement and improve chemical security. These recommendations are compiled from ACA’s member companies, who own and operate paint, coatings, resin, or chemical manufacturing facilities. Some of these facilities are subject to CFATS, with a clear majority being classified as Tier 4 facilities, while just a few are Tier 3.

This Issue Backgrounder highlights some suggested improvements to enable the CFATS program to work optimally and in accordance with its Congressional intent. These enhancements include greater transparency for CFATS tiering determinations and security plan review; a focus on risk-based determinations for personnel surety requirements; regular review of the “chemicals of interest” list; and improved coordination for CFATS with other federal chemical security and safety regulatory programs.

Improved Transparency for Tiering Determinations

As mentioned, many paint and coating facilities have previously submitted top-screens to DHS identifying chemicals of interest and have been assigned preliminary or final tiers by the department. As a result, many ACA member companies have been subject to the CFATS Risk-Based Performance Standards for some time.

However, improved transparency by DHS with regulated facilities regarding risk tiering determinations would help those regulated entities better understand what actions they might take to further mitigate risk. Often the facility security director or the personnel with overall responsibility and authority for making critical security risk management decisions for a facility is not aware of the determining factor(s) behind the assigned risk tier level. By way of example, one ACA member reported that for several years it had a CFATS Tier 4 level determination, until last year when DHS moved it up to a Tier 3 level determination, without providing a reason. The member company contends that nothing had changed at its facility to warrant the move. However, DHS failed to provide a legitimate explanation as to why their tiering determination of the facility had been changed. Surely, some explanation or candidness from DHS about its determination process would enable a facility to better appreciate its risk profile.

Risk-based Personnel Surety Requirements

CFATS personnel surety program (PSP) requirements are mandated by Risk-Based Performance Standard 12, a regulatory standard for access into CFATS facilities. However, instead of continuing with the risk-based approach to making a facility more secure envisioned by CFATS, DHS plans to implement a rigid vetting program based on information gathering. The PSP under review will require companies to submit to DHS the names of personnel (e.g., employees, contractors, and visitors) granted unescorted access to critical assets at least 48 hours prior to gaining access. The intended purpose is to enable DHS to screen their names against its Terrorist Screening Database (TSDB). As a result, facilities that have multiple entries daily could suffer major disruptions to operations or be forced to assign plant personnel as escorts for the many visitors they might receive daily.

For some time, DHS has been implementing the terrorist screening portion of the CFATS PSP at all Tier 1 and Tier 2 high-risk facilities — approximately 200 sites. This process requires the facility to collect, manage and protect sensitive personal identifying information on employees and contractors and send that information to DHS for vetting against the TSDB. DHS is planning to extend this program to an additional 3,000 lower risk Tiers 3 and 4 facilities, involving tens of thousands of additional employees and contractors and their personal information. ACA believes that expansion of the PSP program is unnecessary and will needlessly put personal employee information at risk.1 ACA maintains that since Tier 3 and 4 facilities have already been determined to present low-risk, the TSDB requirement is unnecessary for those lower tier facilities, and that DHS should restrict the terrorist screening portion of the CFATS PSP to Tier 1 and Tier 2 facilities.

Regular Review of the ‘Chemicals of Interest’ List

Appendix A of the CFATS regulation (6 CFR Part 27) lists more than 300 chemicals of interest (COI), and their respective screening threshold quantities categorized under three main security issues:

  1. Release: Toxic, flammable, or explosive chemicals or materials that can be released at a facility.
  2. Theft or Diversion: Chemicals or materials that, if stolen or diverted, can be converted into weapons using simple chemistry, equipment, or techniques.
  3. Sabotage: Chemicals or materials that can be mixed with readily available materials.

While the overall aim of this list and screening thresholds are clear, in practice, DHS’s failure to update the COI since the program’s promulgation in 2007 may have unnecessarily expanded the reach of the program. For instance, the current list contains aluminum powder as a COI at a threshold of 100 pounds. DHS subsequently expanded the definition of aluminum powder to include aluminum paste through an interpretation promulgated via the FAQ list maintained by the agency, even though aluminum paste presents a lower risk profile than aluminum powder. ACA and other industry partners engaged in extensive discussions with DHS as to the reasonableness of addressing aluminum paste and powder at the same risk level. ACA contends that re-evaluation of the COI list will afford industry an opportunity to address issues such as this through a formal rulemaking process and urges DHS to regularly review its COI list to make chemical determinations based on risk. Doing so will relieve companies of the burden of unnecessary compliance obligations for low-risk chemicals.

Duplicative Regulatory Requirements

The coatings industry, along with other chemical manufacturing industries, is subject to various regulatory programs that address chemical safety. Beyond CFATS, facilities are subject to the Environmental Protection Agency’s Risk Management Plan (RMP) program authorized by Sec. 112(r) of the Clean Air Act; the Occupational Safety and Health Administration’s Process Safety Management (PSM); and the Department of Transportation’s Hazardous Materials Regulations. Together these regulations offer a broad “safety net” for chemical use and security when properly implemented. While these programs cover many of the same chemicals, they often apply at different thresholds and have somewhat different objectives based on the agency administering them. For example, CFATS has as its primary objective the development of security measures to prevent the deliberate release of highly toxic chemicals, such as chlorine, or the theft or diversion of other chemicals, such as ammonium nitrate, that can be used to manufacture explosives for use by terrorists.

But there are some duplicative requirements. For example, like CFATS, DOT’s Pipeline and Hazardous Materials Safety Administration (PHMSA) regulation, HM-232F, requires certain facilities have a security plan; 49 CFR 172 Subpart I requires shippers and carriers of certain hazardous materials to implement security plans; and 49 CFR §172.704(a)(5) requires in-depth security training for each employee of applicable facilities. While there is some obvious overlap on personnel training and security, there is further redundancy with requirements such as OSHA 29 CFR 1910.38, for Emergency Action Plans.

ACA believes there is a real opportunity for federal agencies to work together to streamline these requirements and provide industry some relief from duplicative, onerous regulatory burdens.

A Ready Partner

ACA considers CFATS a necessary regulatory scheme to help industry and communities be safer and more secure, and as such, urges Congress to pass long-term reauthorization of the CFATS program. ACA is eager to work with Congress and DHS as it considers ACA’s recommendations, which would give industry regulatory certainty and stability to make prudent risk management decisions and investments.


For more information, contact:

Allen Irish
Senior Counsel, ACA Legal Affairs

Rhett Cash
Counsel, ACA Government Affairs

Xavier Ferrier
Specialist, ACA Environmental Health & Safety

1 This proposed expansion of the PSP program is a significant concern considering past large-scale breaches of federally maintained databases holding sensitive personally identifiable information.