CFATS Compliance Guide: What Chemical Facilities Need to Know in 2026

The Chemical Facility Anti-Terrorism Standards (CFATS) program remains one of the most critical regulatory frameworks for chemical facilities in the United States. As we move through 2026, facilities handling chemicals of interest (COI) must stay current with evolving DHS requirements and ensure their security programs meet the Risk-Based Performance Standards (RBPS). This guide provides a comprehensive overview of CFATS compliance requirements and practical strategies for achieving and maintaining compliance.

Understanding CFATS: The Basics

CFATS, administered by the Cybersecurity and Infrastructure Security Agency (CISA) within the Department of Homeland Security, requires chemical facilities that possess certain quantities of designated chemicals of interest to implement specific security measures. The program uses a tiered risk assessment approach, with Tier 1 facilities facing the most stringent requirements and Tier 4 the least.

The first step in CFATS compliance is determining whether your facility is covered. This requires completing a Top-Screen assessment to report quantities of chemicals of interest on your site. CISA then evaluates the information and assigns a preliminary tier level based on the potential consequences of a terrorist attack on the facility.

The 18 Risk-Based Performance Standards

Tiered facilities must develop and implement a Site Security Plan (SSP) that addresses all 18 RBPS. These standards cover four main categories:

Physical Security: Perimeter security, access control, monitoring and surveillance, and securing critical assets against unauthorized access or sabotage.

Personnel Security: Background checks, credentialing, insider threat mitigation, and personnel surety programs.

Cyber Security: Protection of critical cyber systems that could be exploited to cause a chemical release or security incident.

Response and Recovery: Emergency response planning, incident reporting, and recovery procedures following a security event.

Common CFATS Compliance Challenges

Based on our extensive experience conducting CFATS security assessments, the most common compliance challenges include inadequate documentation of security measures and their effectiveness, personnel surety programs that don't meet RBPS requirements, cyber-physical convergence vulnerabilities that aren't addressed, insufficient insider threat programs, and security awareness training that lacks depth and documentation.

The Security Vulnerability Assessment (SVA)

The SVA is the foundation of your CFATS compliance program. It must identify potential threats and adversary scenarios, assess vulnerabilities in your current security posture, evaluate the potential consequences of successful attacks, and recommend countermeasures that address identified gaps. Our military-informed approach to SVAs goes beyond checkbox compliance. With 12 years of military security operations experience, our lead assessor evaluates your facility through the lens of actual adversary tactics — identifying vulnerabilities that conventional assessments miss.

Maintaining CFATS Compliance

CFATS compliance isn't a one-time achievement. Facilities must conduct regular security reviews and update the SSP, report material modifications that could affect security, maintain training records and conduct regular drills, prepare for CISA compliance inspections, and update the Top-Screen when chemical inventories change significantly.

Regular third-party assessments — at least annually — help ensure your security program evolves with emerging threats and regulatory expectations. Our physical security assessment and CFATS-specific evaluations provide the independent verification that CISA inspectors expect to see.

Need help with your CFATS compliance program? Request a CFATS consultation to discuss your facility's specific requirements.