1670-AA01 202210 The Regulatory Plan and the Unified Agenda of Federal Regulatory and Deregulatory Actions 1670 Cybersecurity and Infrastructure Security Agency CISA 1600 Department of Homeland Security DHS Chemical Facility Anti-Terrorism Standards (CFATS)

The Cybersecurity and Infrastructure Security Agency (CISA) previously invited public comment on an Advance Notice of Proposed Rulemaking (ANPRM) during August 2014 for potential revisions to the Chemical Facility Anti-Terrorism Standards (CFATS) regulations. The ANPRM provided an opportunity for the public to provide recommendations for possible program changes. In June 2020, CISA published for public comment a retrospective analysis of the CFATS program. And in January 2021, CISA invited additional public comment through an ANPRM concerning the removal of certain explosive chemicals from CFATS. CISA intends to address many of the subjects raised in both ANPRMs and the retrospective analysis in this regulatory action, including potential updates to CFATS cybersecurity requirements and Appendix A to the CFATS regulations.

]]> Other Significant Previously Published in The Unified Agenda Proposed Rule Stage No No 6 CFR 27 6 U.S.C. 621 to 629 Yes

The Chemical Facility Anti-Terrorism Standards (CFATS) program regulates facilities possessing large quantities of dangerous chemicals. The particular chemicals listed and threshold quantities were established in 2007, and were based on EPA’s threshold quantities for Hazardous Substances published under its Release Management Program. In the 15 years since implementation of the program, CISA has gained extensive experience in analyzing chemical holdings and determining which facilities should be classified as high-risk and subject to further regulation. Given its experience, CISA has determined that it should adjust its list of regulated chemicals, threshold quantities, and counting methods to better reflect the security issues implicated by these chemicals. Additionally, CISA believes that the CFATS security performance guidelines, first issued in 2009, should be updated to better reflect lessons learned over the past decade, including substantially updating the guidelines for cybersecurity performance metrics.

]]>

This regulation is authorized pursuant to 6 U.S.C. 621 et seq.

]]>

CISA considered an alternative version of this NPRM where we updated only the performance guidance but not the chemical listings. Additionally, we considered an alternative version where changes to certain toxic chemical listings were omitted.

]]>

CISA is developing the cost and benefits estimates for this rulemaking.

]]> ANPRM 08/18/2014 79 FR 48693 ANPRM Comment Period End 10/17/2014 ANPRM 01/06/2021 86 FR 495 Announcement of Availability; Retrospective Analysis 06/22/2020 85 FR 37393 Announcement of Availability; Retrospective Analysis Comment Period End 09/21/2020 NPRM 05/00/2023 Yes Businesses Federal Local State No www.regulations.gov www.regulations.gov Yes No 1601-AA69 Previously reported as 1670-AA03 Merged with Ryan Donaghy Deputy Branch Chief for Chemical Security Policy, Rulemaking, and Engagement 1670 Cybersecurity and Infrastructure Security Agency CISA 571 532-4127 ryan.donaghy@cisa.dhs.gov 245 Murray Lane SW, Mail Stop 0610, Arlington VA 20528