CVI: Keeping CFATS Info Secure

When congress created the CFATS mandate it also created a lot of paper work.  Site Vulnerability Assessments (SVAs) and Security Site Plans (SSPs) are hundreds of pages long with specific information on chemical facilities and their security - not information you would want to fall into the wrong hands.  So, DHS had to come up with a way to collect the information while keeping it secure and in the right hands.  To do this the department developed a new class of information that was sensitive, but not classified.  It is called CVI or Chemical-terrorism Vulnerability Information and it was meant to protect from inappropriate public disclosure any information developed during the CFATS process.

CFATS designates specific information as CVI.  It includes information from the Top Screen, SVA and SSP.  It also covers any correspondence from DHS relating to tiering, inspections, reviews, etc. And the CVI classification doesn't just apply to paperwork.  It includes information communicated by any means and covers written, verbal, electronic and digital communications.

To handle CVI requires the completion of the DHS CVI authorized users training course.  It is a 30-minute online course offered by DHS and it covers all of the very specific requirements for handling CVI.  Once you have completed the training course you will be emailed a CVI certification with a unique identification number.  This is the first step for someone that will be involved in the company's CFATS process. DHS has strict guidelines about how CVI is to be handled.  Some of the specifics include

  • All CVI records must have the words "CHEMICAL-TERRORISM VULNERABILITY INFORMATION" at the top and the DHS-specified Distribution Limitation Statement at the bottom.
  • CVI should never be emailed in the body of the email
  • Email with CVI information attached should be encrypted and the password sent separately
  • CVI information should never be carried in checked baggage when traveling
  • Care must be taken with destroying CVI material.  It must be disposed of so that it cannot be reconstructed.

Facilities going through the CFATS process should make sure that everyone who needs CVI certification has it and keep a record of all CVI certified personnel.  This goes for consultants and partners.  They should be certified also, so that you can share all of the necessary information with them and still follow the CVI rules.

Keeping this information secure is important for everyone involved.  Facilities want to make sure that the information they are sending to DHS is kept safe and DHS has an expectation that facilities will also take responsible measures to safeguard information.


Copyright © ADT Security Services, Inc. 2011 - All Rights Reserved. Legal Disclaimer - Some of the individuals posting to this site, including the moderators, work for ADT Security Services, Inc. Opinions expressed here and in any corresponding comments are the personal opinions of the original authors, not of ADT Security Services, Inc. The content is provided for informational purposes only and is not meant to be an endorsement or representation by ADT Security Services, Inc. or any other party. This site is available to the public. No information you consider confidential should be posted to this site. By posting you agree to be solely responsible for the content of all information you contribute, link to, or otherwise upload to the Website and release ADT Security Services, Inc. from any liability related to your use of the Website. You also grant to ADT Security Services, Inc. a worldwide, perpetual, irrevocable, royalty-free and fully-paid, transferable (including rights to sublicense) right to exercise all copyright, publicity, and moral rights with respect to any original content you provide. The comments are moderated. Comments will appear as soon as they are approved by the moderator.