CHEMICAL-TERRORISM VULNERABILITY INFORMATION
This blank template is not CVI
until a user begins to populate
it with Chemical-terrorism
Vulnerability Information as
defined by DHS. Please delete
this text box as soon as the
resulting document contains
CVI.
1
WARNING: This record contains Chemical-terrorism Vulnerability Information controlled by 6 CFR 27.400. Do not disclose
to persons without a “need to know” in accordance with 6 CFR § 27.400(e). Unauthorized release may result in civil penalties
or other action. In any administrative or judicial proceeding, this information shall be treated as classified information in
accordance with 6 CFR 27.400(h) and (i).
CHEMICAL-TERRORISM VULNERABILITY INFORMATION
CFATS Alternate Security Program
Security Issues:
Table of Contents
1.
Definition of Acronyms and Facility-Specific Terminology............................................... 3
2.
Facility Information (RBPS 9,17) ......................................................................................... 3
3.
Chemicals of Interests (COIs)/Security-Vulnerability Issue (RBPS 9, 17) ....................... 5
4.
Facility Security Overview .................................................................................................... 6
4.1.
4.2.
4.3.
4.4.
4.5.
5.
Security Measures – Detailed Description ........................................................................... 6
5.1.
5.2.
5.3.
5.4.
5.5.
5.6.
5.7.
5.8.
5.9.
5.10.
5.11.
5.12.
5.13.
5.14.
5.15.
5.16.
6.
Facility Overview:......................................................................................................................... 6
Security/Vulnerabilities, COI’s, Tiers: (OPTIONAL) .............................................................. 6
Attack Scenarios and Security Approach: ................................................................................. 6
Non-Applicable RBPS’s: .............................................................................................................. 6
CFATS Timeline and Status: (OPTIONAL) .............................................................................. 6
Perimeter Security (RBPS 1, 2, 4): .............................................................................................. 7
Access Control (RBPS 1, 2, 3, 4, 5, 7, 12):................................................................................... 7
Response to Security Events (RBPS 1, 3, 4, 7, 9, 11): ................................................................ 8
Security Monitoring (RBPS 1, 2, 4, 7, NOT RBPS 10):............................................................. 9
Communications, Security Incident Response, Contingency Operations (RBPS 4, 5, 7, 9): . 9
Shipping and Receiving (RBPS 5, 6, 7, 9, 11): .......................................................................... 10
Theft (RBPS 2, 3, 5, 6, 7, 12): ..................................................................................................... 11
Sabotage (RBPS 7, 11):............................................................................................................... 11
Cyber Security (RBPS 8): .......................................................................................................... 12
Inspection, Testing, and Preventive Maintenance (ITPM) (“Monitoring”) of Security
Equipment (RBPS 10): ............................................................................................................ 14
Training (RBPS 11, 18): ........................................................................................................... 14
Personnel Surety (RBPS 12): ................................................................................................... 15
Escalation of DHS NTAS threat level (RBPS 13): ................................................................. 15
Reporting and Investigation of Security Incidents (RBPS 15, 16): ...................................... 15
Security Organization (RBPS 6, 17): ...................................................................................... 16
Recordkeeping (RBPS 18): ...................................................................................................... 16
Attachments .......................................................................................................................... 17
2
WARNING: This record contains Chemical-terrorism Vulnerability Information controlled by 6 CFR
27.400. Do not disclose to persons without a “need to know” in accordance with 6 CFR § 27.400(e).
Unauthorized release may result in civil penalties or other action. In any administrative or judicial
proceeding, this information shall be treated as classified information in accordance with 6 CFR 27.400(h)
and (i).
CHEMICAL-TERRORISM VULNERABILITY INFORMATION
1. Definition of Acronyms and Facility-Specific Terminology
2. Facility Information (RBPS 9,17)












CSAT Facility ID No. [REQUIRED]
Facility Name [REQUIRED]
Facility Description:
o NAICS
o DUNS
o Facility Type
Facility Location Address:
o Street
o City
o State, Zip Code
o Borough/County/Parish
Facility Latitude and Longitude
EPA Facility Identifier
Co-located Host/Tenant Facility
Locale Description (refer to Section 4)
Facility Construction (refer to Section 4)
CSAT Submissions (refer also to Section 4):
o Date of most recent CSAT Top Screen submission
o Date of most recent CSAT SVA submission
o Date of most recent CSAT SSP/ASP submission (if any)
Current CSAT Roles
o Authorizer
o Preparer
o Submitter
Facility Personnel
o Non-security or mixed duty (some security responsibilities)
 Full Time
 Part Time
 Contractor
 Shifts and Manning
3
WARNING: This record contains Chemical-terrorism Vulnerability Information controlled by 6 CFR
27.400. Do not disclose to persons without a “need to know” in accordance with 6 CFR § 27.400(e).
Unauthorized release may result in civil penalties or other action. In any administrative or judicial
proceeding, this information shall be treated as classified information in accordance with 6 CFR 27.400(h)
and (i).
CHEMICAL-TERRORISM VULNERABILITY INFORMATION




o Security officers
 Proprietary (company employees)
 Contractors
 Shifts and manning levels
Contact Information
o FSO
o AFSO
o CSO
o Cyber SO
Facility Description
o Associated Sector (i.e., which CIKR sector(s) include this facility)
o Overview of facility/operations (see Section 3)
Emergency Responders, On-Site
o Overview of Coverage and Operations
o Emergency Management Team
o Fire Department
o Emergency Medical Technicians
o HAZMAT Team and Equipment
o Special Response Capabilities
Emergency Responders, Off-site
o Overview of Coverage and Operations
o Local Emergency Preparedness Council, Office of Emergency Management, Mutual
Aid Group (list and describe all that apply to this facility)
 Overview/capability
 Contact Information
 Coverage
 Response time and how verified
 MOU in place
o Fire /Emergency Medical Service
 Department
 Contact information
 Coverage
 Capability
 Response time and how verified
 MOU in place
o Law Enforcement
 Department
 Contact information
4
WARNING: This record contains Chemical-terrorism Vulnerability Information controlled by 6 CFR
27.400. Do not disclose to persons without a “need to know” in accordance with 6 CFR § 27.400(e).
Unauthorized release may result in civil penalties or other action. In any administrative or judicial
proceeding, this information shall be treated as classified information in accordance with 6 CFR 27.400(h)
and (i).
CHEMICAL-TERRORISM VULNERABILITY INFORMATION

 Coverage
 Response time and how verified
 SWAT and bomb squad capability and response time
 Emergency management capability
 Response drills and exercises (internal or joint with facility)
 MOU in place
o Special Response Capabilities, Off-site
 FBI
 ICE
 TSA
 US Army Bomb Squad
 US Army CBRNE Team
 US Coast Guard
 US Marine Corps CBRNE Team
 US Marshals or other Fed Law Enforcement CDC
 EPA
 FDA
 State Police
 State Environmental Agency, Office of Emergency Management
 County Police
 County HAZMAT
 Sheriff
 Bomb Squad
 Maritime Law Enforcement
 American Red Cross
 Salvation Army
Other Emergency Management Information
o Facility Shelter-in-Place Capability
o Community Notification System
3. Chemicals of Interests (COIs)/Security-Vulnerability Issue (RBPS 9, 17)



Chemical(s)
o Name/ CAS#/security-vulnerability issue
Other Chemicals
o Name, CAS#/security-vulnerability issue
Chemicals Shipped and/or Sold
o Name/CAS#/security-vulnerability issue, transportation mode
5
WARNING: This record contains Chemical-terrorism Vulnerability Information controlled by 6 CFR
27.400. Do not disclose to persons without a “need to know” in accordance with 6 CFR § 27.400(e).
Unauthorized release may result in civil penalties or other action. In any administrative or judicial
proceeding, this information shall be treated as classified information in accordance with 6 CFR 27.400(h)
and (i).
CHEMICAL-TERRORISM VULNERABILITY INFORMATION


Chemicals Received
o Name/CAS#/security-vulnerability issue, transportation mode
Chemicals Manufactured
o Name/CAS#/security-vulnerability issue
4. Facility Security Overview
4.1.
Facility Overview:
4.2.
Security/Vulnerabilities, COI’s, Tiers: (OPTIONAL)
Security/Vulnerability Issue
COI
Tier Level
4.3.
Attack Scenarios and Security Approach:
4.4.
Non-Applicable RBPS:
4.5.
CFATS Timeline and Status: (OPTIONAL)
5. Security Measures – Detailed Description




Site Operating Boundary
Buildings
Yard
Restricted Areas and Critical Assets (overview/ definition)
o Non-enclosed restricted areas or critical assets
6
WARNING: This record contains Chemical-terrorism Vulnerability Information controlled by 6 CFR
27.400. Do not disclose to persons without a “need to know” in accordance with 6 CFR § 27.400(e).
Unauthorized release may result in civil penalties or other action. In any administrative or judicial
proceeding, this information shall be treated as classified information in accordance with 6 CFR 27.400(h)
and (i).
CHEMICAL-TERRORISM VULNERABILITY INFORMATION

o Those housed in a structure or enclosure
o Operating practices surrounding restricted areas or critical assets
Special Considerations
o Features of the plant layout, physical terrain, locale, and location of RA/CA’s that
enhance security and reduce the potential for successful terrorist attacks (see also
Section 4.4)
5.1.











Security Barriers, Perimeter Fence and Top Guard (full description).
Topographical or Landscaping Barriers
Vehicle Barriers
Security Patrols
Clear Zone and/or Standoff Distance
o Internal
o External
Signage
Buildings that are part of perimeter
Lighting (overview)
Security Systems
Additional Information
Proposed or Planned Measures
o Overview
o Time Line
5.2.




Perimeter Security (RBPS 1, 2, 4):
Access Control (RBPS 1, 2, 3, 4, 5, 7, 12):
Gates
o Motor Vehicle
o Rail
o Personnel
o Emergency
Signage
Facility Personnel (Employee/Contractor) Identification and Access Measures (see
Section 5.12 for Personnel Surety):
o Identification method
o Screening and Inspections
Visitor Identification and Registration
7
WARNING: This record contains Chemical-terrorism Vulnerability Information controlled by 6 CFR
27.400. Do not disclose to persons without a “need to know” in accordance with 6 CFR § 27.400(e).
Unauthorized release may result in civil penalties or other action. In any administrative or judicial
proceeding, this information shall be treated as classified information in accordance with 6 CFR 27.400(h)
and (i).
CHEMICAL-TERRORISM VULNERABILITY INFORMATION






o Process and Procedures (including scheduled and non-scheduled visitors)
 Identity verification
 Visitor badges
 Escorting
o Screening and Inspections
o System Controls
 Layers, restricted zones – secondary access
Vehicle Registration
o Process and Procedures
 ID tags or stickers
o Screening and Inspection
o System Controls
Vehicle Parking Security Measures
o Onsite Parking Restrictions, Signage, Barriers
Escort, overview
o Process and Procedure, Restrictions
Other access points or perimeter openings
Additional Information
Proposed or Planned Measures
o Overview
o Time Line
5.3.




Response to Security Events (RBPS 1, 3, 4, 7, 9, 11):
Security Operations
o Security Response Process
o Emergency Response Plan
o Security Training and Exercises
o Off Site Monitoring:
 Internal
 External – proprietary or contractor
Security MOU’s in place
Additional Information
Proposed or Planned Measures
o Overview
o Time Line
8
WARNING: This record contains Chemical-terrorism Vulnerability Information controlled by 6 CFR
27.400. Do not disclose to persons without a “need to know” in accordance with 6 CFR § 27.400(e).
Unauthorized release may result in civil penalties or other action. In any administrative or judicial
proceeding, this information shall be treated as classified information in accordance with 6 CFR 27.400(h)
and (i).
CHEMICAL-TERRORISM VULNERABILITY INFORMATION
5.4.





Security Monitoring (RBPS 1, 2, 4, 7, NOT RBPS 10):
Security Systems (Examples: IDS, CCTV, Personnel Coverage)
o Overview
 List the systems and how they work together
 Backup power
o Coverage of Each System
 Perimeter
 Access Points
 Storage Area
 Loading / Unloading Area
 Critical Assets/Restricted Areas
o System Descriptions - Suggest detailed descriptions of each system sufficient to
assess performance and availability (may refer to Section 5.1 if systems are the same
for perimeter)
 CCTV – number, location, type, night capable, recording capacity, back-up
power, how secured, where monitored, maintenance process
 Intrusion Detection – type, location, back-up power, where monitored,
maintenance process
Monitoring
o Overview of Process and Procedures
External Emergency Notifications
Additional Information
o Local to site
o Accessible offsite
o Monitored on/offsite
Proposed or Planned Measures
o Overview
o Time Line
5.5.
Communications, Security Incident Response, Contingency Operations
(RBPS 4, 5, 7, 9):
Note: Make reference as needed to on- and off-site first responders listed in Section 2, and
confirm consistency

Internal Emergency Notifications
o Overview (systems and process, back-up power and systems)
o Alarm Systems/Notifications
9
WARNING: This record contains Chemical-terrorism Vulnerability Information controlled by 6 CFR
27.400. Do not disclose to persons without a “need to know” in accordance with 6 CFR § 27.400(e).
Unauthorized release may result in civil penalties or other action. In any administrative or judicial
proceeding, this information shall be treated as classified information in accordance with 6 CFR 27.400(h)
and (i).
CHEMICAL-TERRORISM VULNERABILITY INFORMATION







Process Safety Mitigation (as it relates to CFATS and protection of COI)
Crisis Management Plan Overview
o Site emergency plans
o Corporate coverage
o Emergency responders
o Community notification
Contingency Operations of Safety and Security Systems
Training
o Overview
Drills/Exercises
o Overview
Additional Information
o Community Outreach/Liaison
Proposed or Planned Measures
o Overview
o Time Line
5.6.





Shipping and Receiving (RBPS 5, 6, 7, 9, 11):
Shipping and Receiving Overview
o Shipment verification
o Identification
o Response to “Unknown Carrier”
Customer Qualification “Know your Customer”
o Program
o Procedures
Transportation
o Carriers
 Private
 Contract
o Equipment utilized
o On-site storage/parking procedures
o Security coverage
Additional Information
Proposed or Planned Measures
o Overview
o Time Line
10
WARNING: This record contains Chemical-terrorism Vulnerability Information controlled by 6 CFR
27.400. Do not disclose to persons without a “need to know” in accordance with 6 CFR § 27.400(e).
Unauthorized release may result in civil penalties or other action. In any administrative or judicial
proceeding, this information shall be treated as classified information in accordance with 6 CFR 27.400(h)
and (i).
CHEMICAL-TERRORISM VULNERABILITY INFORMATION
5.7.






Scope – Specify for which Theft COI each security measure applies
Personnel Surety
o Coverage
o Overview of current program
o Additional screenings:
COI Storage Area
o Location with facility
o Design
o Standoff Area or Restricted Zone
o Security Coverage
 Overview of system and control
 Monitoring
o Access Control
 Overview of system and coverage
 Electronic, access card, etc
 Restrictions
 Vehicle entry into restricted zone
 Overview, process and procedures
 Escorts
o Inventory Control
 Overview of process/procedures and review/audit
Incident Reporting Protocol
o Overview of processes for breach, theft, abnormal requests, suspicious activity
Additional Information
Proposed or Planned Measures
o Overview
o Time Line
5.8.



Theft (RBPS 2, 3, 5, 6, 7, 12):
Sabotage (RBPS 7, 11):
Scope – Specify for which Sabotage COI each security measure applies
Personnel Surety
o Coverage
o Overview of current program
o Additional screenings:
COI – Tampering Identification
o Overview of System and Controls
11
WARNING: This record contains Chemical-terrorism Vulnerability Information controlled by 6 CFR
27.400. Do not disclose to persons without a “need to know” in accordance with 6 CFR § 27.400(e).
Unauthorized release may result in civil penalties or other action. In any administrative or judicial
proceeding, this information shall be treated as classified information in accordance with 6 CFR 27.400(h)
and (i).
CHEMICAL-TERRORISM VULNERABILITY INFORMATION




COI Storage Area
o Location within facility
o Design
o Standoff Area or Restricted Zone
o Security Coverage
 Overview of system and control
 Monitoring
o Access Control
 Overview of system and coverage
 Electronic, access card, etc
 Restrictions
 Vehicle entry into restricted zone
 Overview, process and procedures
 Escorts
o Inventory Control
 Overview of process/procedures and review/audit
Incident Reporting
o Overview of processes for breach, theft, abnormal requests, suspicious activity
Additional Information
Proposed or Planned Measures
o Overview
o Time Line
5.9.


Cyber Security (RBPS 8):
Cyber components or systems affecting COIs
Cyber Security Policies and Procedures
o Overview
 Systems Boundaries
 External connection security
 Least privilege principle
 Rules of behavior
 Separation of duties
 Physical security of cyber assets
 Asset identification
o Accountability
 Corporate
 Business
 Location
12
WARNING: This record contains Chemical-terrorism Vulnerability Information controlled by 6 CFR
27.400. Do not disclose to persons without a “need to know” in accordance with 6 CFR § 27.400(e).
Unauthorized release may result in civil penalties or other action. In any administrative or judicial
proceeding, this information shall be treated as classified information in accordance with 6 CFR 27.400(h)
and (i).
CHEMICAL-TERRORISM VULNERABILITY INFORMATION


o Accessibility
 Employee listing
 Account monitoring
o Review, Revisions and MOC’s
 Schedule
o Training
 Level of access
 Recertification
o Process for major upgrades/new systems
o LAN
o Perimeter Networks (e.g., video motion detection)
o Remote Access
 External connections
 VPN
 Capability
o Password and Access Control Lists
 Employee terminations or position changes
o Service Providers / Third Parties
o Security Incidents
 Reporting
 Response
 Monitor – unauthorized or malicious activity
 Significant incidents, external reporting
o Disaster Recovery and Business Continuity
 Continuity of operations plans
 IT contingency plans
 Recovery plans for critical cyber assets
o System life cycle
o Audits
 Program
 Findings
Additional Information
Proposed or Planned Measures
o Overview
o Time Line
13
WARNING: This record contains Chemical-terrorism Vulnerability Information controlled by 6 CFR
27.400. Do not disclose to persons without a “need to know” in accordance with 6 CFR § 27.400(e).
Unauthorized release may result in civil penalties or other action. In any administrative or judicial
proceeding, this information shall be treated as classified information in accordance with 6 CFR 27.400(h)
and (i).
CHEMICAL-TERRORISM VULNERABILITY INFORMATION
5.10.
Inspection, Testing, and Preventive Maintenance (ITPM) (“Monitoring”) of
Security Equipment (RBPS 10):




Site Practices For Inspection, Testing And Preventive Maintenance Of Security
Equipment
o Oversight of all systems
o Review
o Accountability
o Manufacturer specifications
o Incident reporting and response
o Alternate measures during outages
Maintenance Vendors and Contractors
o Certification
o Documentation of activities
Additional Information
Proposed or Planned Measures
o Overview
o Time Line
5.11.



Training (RBPS 11, 18):
Training, Security, Reporting, Response and External Agencies
o Employees, CSO, FSO and AFSO
 Overview
 Process
 New employee / Assignment
 Reviews
 Time lines
o Contractors
 Overview
 Process
 New employee / Assignment
 Reviews
 Time lines
Additional Information
Proposed or Planned Measures
o Overview
o Time Line
14
WARNING: This record contains Chemical-terrorism Vulnerability Information controlled by 6 CFR
27.400. Do not disclose to persons without a “need to know” in accordance with 6 CFR § 27.400(e).
Unauthorized release may result in civil penalties or other action. In any administrative or judicial
proceeding, this information shall be treated as classified information in accordance with 6 CFR 27.400(h)
and (i).
CHEMICAL-TERRORISM VULNERABILITY INFORMATION
5.12.



Overview of existing Pre-employment Background Check program
o Internal or out sourced
 Verification of social security number
 Verification of previous job history
 Criminal history check
 For employees that whose job responsibilities involve operating motor
vehicles, DMV checks
 USCIS Form I-9 check
 Screening for terrorist ties – process to provide information to DHS
 Process for existing employees, including frequency
 Process for new employees
 Records retention policy
Additional Information
Proposed or Planned Measures
o Overview
o Time Line
5.13.



Escalation of DHS NTAS threat level (RBPS 13):
Overview of current policies and procedures
o Process for response to NTAS System level changes, with time line
 Elevated
 Imminent
o De-escalation process, including time line
Additional Information
Proposed or Planned Measures
o Overview
o Time Line
5.14.

Personnel Surety (RBPS 12):
Reporting and Investigation of Security Incidents (RBPS 15, 16):
Overview of Security Incident Processes
o Reporting
 Internal reporting
 External reporting
o Roles and Responsibilities
o Investigation
o Follow-up
15
WARNING: This record contains Chemical-terrorism Vulnerability Information controlled by 6 CFR
27.400. Do not disclose to persons without a “need to know” in accordance with 6 CFR § 27.400(e).
Unauthorized release may result in civil penalties or other action. In any administrative or judicial
proceeding, this information shall be treated as classified information in accordance with 6 CFR 27.400(h)
and (i).
CHEMICAL-TERRORISM VULNERABILITY INFORMATION



o Accountability
Training
o Types of Incidents to Report
o Reporting Authority
o Time frame
Additional Information
Proposed or Planned Measures
o Overview
o Time Line
5.15.




Overview of Company Security Organization
o Coverage
o Accountability
o Roles
o CSO
o Facility Accountability FSO/AFSO
o Facility Manager
Overview of Site Security Team
o Company / Contractor
o SOP
o Armed/unarmed
o Training
Additional Information
Proposed or Planned Measures
o Overview
o Time Line
5.16.

Security Organization (RBPS 6, 17):
Recordkeeping (RBPS 18):
Retention Requirements as per 6 CFR 27.255 (describe process and content)
o Minimum Three Year Retention:
 Training
 Drills and exercises
 Incidents and breaches of security
 Maintenance, calibration, testing of security equipment
 Security threats
 SVA and SSP audits
16
WARNING: This record contains Chemical-terrorism Vulnerability Information controlled by 6 CFR
27.400. Do not disclose to persons without a “need to know” in accordance with 6 CFR § 27.400(e).
Unauthorized release may result in civil penalties or other action. In any administrative or judicial
proceeding, this information shall be treated as classified information in accordance with 6 CFR 27.400(h)
and (i).
CHEMICAL-TERRORISM VULNERABILITY INFORMATION


 Letters of authorization and approval
 Documentation of results of inspections and audits under 6 CFR 27.250
o Minimum Six Year Retention
 Top Screen
 SVA
 SSP
 Related correspondence, including Requests for Review and Requests for
Redetermination
o Other Documents At Facility Discretion
 Management of change records
Additional Information
Proposed or Planned Measures
o Overview
o Time Line
6. Attachments




Drawings/Diagrams
o Overall Facility Diagram
o Other Diagrams
Photos and Other Illustrations
o Photo “Album”
o Additional Illustrations
MOU’s
Files for Planned or Proposed Security Measures
Facility Diagram(s)
(Include Legend)
17
WARNING: This record contains Chemical-terrorism Vulnerability Information controlled by 6 CFR
27.400. Do not disclose to persons without a “need to know” in accordance with 6 CFR § 27.400(e).
Unauthorized release may result in civil penalties or other action. In any administrative or judicial
proceeding, this information shall be treated as classified information in accordance with 6 CFR 27.400(h)
and (i).