When the Department of Homeland Security (DHS) published the Chemical Facility Anti-Terrorism Standards (CFATS) in early 2007, it devised a new form of "sensitive but unclassified information," called Chemical-terrorism Vulnerability Information (CVI). CFATS establishes specific types of information that is CVI, such as Security Vulnerability Assessments, Site Security Plans (SSPs), and correspondence between the regulated facility and DHS. CVI must be protected to prevent unauthorized disclosure.
Toward that end, in order to access CVI, a person must be an authorized user with a "need to know." Prospective CVI recipients must complete DHS's CVI authorized user training course that is available on the chemical security portion of the DHS website (www.dhs.gov/chemicalsecurity). Following completion of the training course (which takes about 30 minutes) DHS emails the authorized user a certificate that contains a unique CVI authorized user identification number. Only then may the individual access CVI for which he or she has a "need to know." That is, completion of the authorized user training and receipt of a unique authorized user identification number does not automatically grant a person the right to receive any and all CVI – the individual must still have a "need to know" the specific CVI before he or she may have access to it.
For example, a security manager at a chemical facility has a "need to know" all CVI as it relates to his or her facility. The same security manager likely does not have a "need to know" CVI as it relates to a neighboring CFATS-regulated chemical facility owned and operated by a different company. The CFATS regulation identifies several circumstances when an individual has a "need to know." Often, a person has a "need to know" "[w]hen the person requires access to specific CVI to carry out chemical facility security activities approved, accepted, funded, recommended, or directed by [DHS]."
CFATS requires individuals to take reasonable steps to protect CVI, and there are a number of specific protocols to safeguard it. The notation "CHEMICAL-TERRORISM VULNERABILITY INFORMATION" must appear at the top and the DHS-specified Distribution Limitation Statement must appear at the bottom of all CVI records. When emailing CVI, the file should be encrypted or password protected with the password sent separately. CVI should never be transmitted in the body of an email message. When traveling, CVI should never be included in checked baggage. CVI must be destroyed in a manner "to preclude recognition or reconstruction of the information."
CVI management is an important component of a facility's overall CFATS regulatory compliance efforts. And unlike the flexibility afforded to meet the 18 Risk-Based Performance Standards that cover everything from perimeter security to background checks, DHS's procedures regarding CVI are more strictly defined. Now, three years into the CFATS process, many facilities have developed specific CVI compliance programs as one part of their overall CFATS efforts. Among other things, a well-formulated CVI compliance program maintains a list of all CVI authorized users with a "need to know" and ensures that all CVI records are marked and stored properly. Perhaps most importantly, a CVI compliance program will help a facility pass muster when DHS arrives for SSP inspections in the coming months and years.
To view the complete CFATS e-newsletter this article was featured in, click here.
Content contributed by Steve Roberts of the Houston, Texas-based Roberts Law Group. Roberts is an attorney who advises chemical and petrochemical companies on homeland security regulations, especially the Chemical Facility Anti-Terrorism Standards.