DHS releases CFATS reporting requirements for facilities that are also MTSA regulated:
From time to time, you will find a facility regulated by both CFATS and MTSA 2002. Those entities that fall under MTSA and CFATS or have a portion of their facility fall under a CFATS designation need to be aware of new Physical Security Breach, Suspicious Activity Reporting, and Cyber Security Breach reporting requirements. Please see the below links.
BPS 15 – Reporting of Significant Security Incidents and RBPS 16
Significant Security Incidents and Suspicious Activities complement each other and address the importance of developing protocols and procedures for promptly and adequately identifying, investigating, and reporting all significant security incidents and suspicious activities in or near the site to appropriate entities.
Chemical facilities covered under the Chemical Facility Anti-Terrorism Standards (CFATS) program should establish protocols governing the identifying and reporting of an incident to the appropriate facility personnel, as well as protocols determining whether the incident is “significant” and thus reported to appropriate facility personnel, local law enforcement, and/or the Cybersecurity and Infrastructure Security Agency (CISA).
What is determined to be a significant incident?
Many events may be considered a security incident, including trespassing, vandalism, petty theft, cyberattacks, bomb threats, and armed attacks. It is generally within the facility’s discretion to determine whether the incident is “significant” or not and thus reported to CISA and local law enforcement. Significant security incidents likely will include events that arise based on intentional threats that attempt to or successfully circumvent a security measure, for example:
- An intentional breach of the facility’s restricted area or perimeter.
- An intentional act to forcefully or covertly bypass an access control point.
- The theft or diversion, or suspected theft or diversion of a chemical of interest (COI).
- An onsite fire, explosion, release of a COI, or other incident requiring the attention of local first responders.
- Any incident with malicious intent adversely affects critical cyber assets, including information technology (IT) equipment.
What are Suspicious Activities?
Suspicious activities could include a pattern of suspicious people or vehicles in or near the facility, photographing the facility, or other unusual activity indicating that an adversary may be probing or assessing the facility’s security capabilities. This may also include suspicious orders of COI from unknown customers, customers who request cash payments, or delivery to unknown locations or businesses.
Reporting an Incident to CISA
Unlike an MTSA facility that has to report all incidents to the National Response Center (NRC), CFATS facilities must report to CISA Central. Once an incident has been detected and response measures in the facility’s security plan have been initiated, report significant cyber and physical incidents to CISA Central at firstname.lastname@example.org.
When contacting CISA Central, facilities should indicate “critical infrastructure” and within the Chemical Sector. Facilities should also include a description of the incident, indicate that they are regulated under CFATS, and include the facility identification number (i.e., FID) issued to them by CISA when they registered their facility in the Chemical Security Assessment Tool (CSAT).