CFATS and Cyber Incident Reporting
9-2-21
Today CISA updated both the Chemical Facility Anti-Terrorism Standards (CFATS) program landing page and the CFATS Knowledge Center to make the chemical security community aware of new guidance (Reporting Cyber Incidents) on the reporting of cyber incidents under Risk-Based Performance Standard (RBPS) 8 (Cyber) and RBPS 15 (Reporting of Significant Security Incidents).
While the Office of Chemical Security is not currently requiring changes to approved site security plans (SSPs), covered facilities can expect that chemical security inspectors will begin inspecting compliance with this new guidance. Chemical facilities that are not currently covered by CFATS should probably review the new guidance documents and incorporate them into their incident response plans.
CFATS Cyber Reporting
The new Reporting Cyber Incidents page and the nearly identical fact sheet. Most of the information is derived from, and expands upon, information found in RBPS 8 – Cyber in the Risk-Based Performance Standards guidance document. For example, the discussion about critical cyber systems contains a list of examples of systems that might be considered critical cyber systems, that list is taken about verbatim from the guidance document.
New information in that document includes a list of examples of potentially significant cyber incidents. Three additional sections of the page include new information that is not included in the guidance document:
Reporting a Cyber Incident to CISA,
After an Incident, and
Additional Resources
A key point made in the reporting section is a new ‘requirement’: “Once a cyber incident has been detected and response measures in the facility’s security plan have been initiated, high-risk facilities are required to report significant cyber incidents to CISA via CISA Central (central@cisa.gov) in accordance with their SSP or ASP.”
An interesting point is made in the ‘After an Incident’ section of the page. Chemical facilities reporting an incident can expect to see their chemical security inspector conducting a follow-up visit. Not only is the facility required to have copies of the reporting information available for the CSI, but should also be prepared to discuss whether changes would be required to the for their SSP to help prevent similar occurrences in the future.
RBPS Web Page Updates
The RBPS 8 – Cyber webpage has been updated to reflect the new information described above. It also includes a link to a new version of the RBPS 8 Fact Sheet. Both the updated web page and fact sheet expand on the ‘critical cyber system’ discussion found on the Reporting Cyber Incidents page by providing a discussion of cybersecurity techniques applicable for:
Critical Business Systems,
Critical Physical Security Systems, and
Critical Control Systems
The RBPS 15-16 - Significant Security Incidents web page and its associated Fact Sheet apply to both cyber and physical security incidents. While this page also mentions reporting to CISA Central it reinforces the necessity for contacting local authorities via a 911 call for on-going incidents or completed incidents where emergency response activities are required. Only then do they recommend contacting CISA Central.
Facility Follow-up
CFATS covered facilities should review all of these new pages to determine if there is anything covered in them that is not appropriately reflected in their Site Security Plan. If the plans do appear to be deficient in any way, the facility should contact their chemical security inspector to determine if a formal revision of the SSP is required.