| On June 8th, 2007 the new federal Chemical Facility | | | | number of people at the facility that will be handling |
| Anti-Terrorism Security (CFATS) regulation went into | | | | CVI, but there will probably be many more as time |
| effect. This regulation (6 CFR part 27) will put a | | | | goes by. |
| number of reporting requirements on chemical facilities. | | | | The CVI POC will then need to insure that the people |
| These requirements will force a large number of | | | | that will be handling CVI are properly trained and |
| chemical facilities to submit sensitive information to the | | | | cleared through DHS. This means that each of the |
| Department of Homeland Security (DHS). Some of the | | | | people will need to go online to the DHS CVI training |
| information will be sensitive business (inventories, | | | | website. There they will complete the training, the |
| pounds of products produced, estimated market share, | | | | after-training test and fill-out and submit the on-line |
| etc) and security information (vulnerabilities, protective | | | | non-disclosure form. When this is done, DHS will notify |
| measures, worst case scenarios, etc) that neither the | | | | the CVI POC that those people at the facility will be |
| Federal Government nor the facility providing the | | | | Authorized Users of CVI. The CVI POC will maintain |
| information wants to let get into unauthorized hands. | | | | records of the Authorized Users at the facility and |
| To protect this information DHS set up a protected | | | | ensure that they are the only ones given access to |
| class of information called Chemical-terrorism | | | | CVI. |
| Vulnerability Information (CVI). Rules were established | | | | Any time that CVI is to be given to anyone outside of |
| for determining what information falls under the CVI | | | | the chemical facility (except when transmitted through |
| rule, who has access to CVI, how CVI must be | | | | the CSAT system), the CVI POC is required to verify |
| protected, transmitted and stored, and finally how | | | | through DHS that the person destined to receive the |
| out-of-date CVI should be destroyed. These rules | | | | information is an Authorized User. If not, the person will |
| effect DHS, the Federal Government, Courts, State | | | | not be given access to the information. The only |
| and local governments, and first responders. More | | | | exception to this is that in the event of an emergency, |
| importantly it affects the chemical facility that produces | | | | the information may be released to some one the |
| implements and is required to maintain files of CVI. | | | | facility reasonably expects to have a need to know |
| Any chemical facility that is required to submit | | | | (for example a first responder), but the facility must |
| information for a Top Screen is going to need to have | | | | notify DHS of the release of information as soon as |
| a CVI program. The copy of the Top Screen | | | | practical afterwards. |
| submission that each facility is required to maintain on | | | | The CVI POC needs to keep a log of the people that |
| file for three years is a CVI record. The letter that the | | | | CVI documents are released to. The log needs to |
| facility receives from DHS that tells it that the facility is | | | | identify which document was released, when and to |
| a high-risk facility regulated under 6 CFR part 27 is a | | | | whom it was released, as well as when DHS |
| CVI record as will be all of the other correspondence | | | | confirmed that the receiver was an Authorized User. It |
| required between DHS and the facility. The Security | | | | would also seem reasonable for the log to document |
| Vulnerability Assessment (SVA) and the Site Security | | | | when a CVI document was produced or received at |
| Plant (SSP) that high-risk facilities will be required to | | | | the facility and who initiated the document. |
| develop will be CVI as will be the training, drill, and | | | | The facility also needs to insure that the people who |
| maintenance records required to support the SSP. | | | | are working with CVI, or holding CVI have adequate |
| The first thing that the chemical facility will have to do | | | | facilities to protect the documents when they are not |
| is to designate a CVI Point of Contact (CVI POC) who | | | | actually using them. The documents must have a CVI |
| will be required to coordinate the facility CVI program | | | | cover sheet on the front and back of the document |
| with DHS, Federal, State and Local Agency officials. In | | | | and it must be stored in a locked container. The CVI |
| effect this CVI POC will be the person that manages | | | | POC is responsible for auditing this requirement and |
| the CVI program at the facility level. The next thing | | | | making sure that the CVI protection requirements are |
| that the facility will have to do is determine who will be | | | | being met within the facility. |
| required at the facility to handle CVI. Certainly the CVI | | | | It is certainly in the best interest of the chemical facility |
| POC, but also the person designated to enter | | | | that CVI is properly secured and protected. These |
| information into the DHS on-line Chemical Security | | | | rules will be an added burden that will be unfamiliar to |
| Assessment Tool (CSAT) (known as the Preparer), | | | | most chemical facilities. However, any facility that has |
| and the person responsible for the accuracy of that | | | | worked with the Department of Defense on security |
| information (knows as the Submitter). Each member of | | | | issues or with the Department of Energy on nuclear |
| the team that completes the SVA and the SSP will | | | | issues will be familiar with these types of measures. |
| also be handling CVI. This is the absolute minimum | | | | |