CFATS Cybersecurity Assessment
Frequently Asked Questions
Answers for compliance officers, GCs, and security leads at high-risk chemical facilities about Law & Forensics' CFATS Risk-Based Performance Standards (RBPS) cybersecurity assessment practice — and what the program's lapse means for facilities today. Contact us for a confidential consultation.
CFATS Cybersecurity Assessment
What CFATS RBPS 8 requires for cybersecurity at chemical facilities, how the program lapse since July 2023 affects compliance posture, and how to prepare for reauthorization or successor regimes.
What is CFATS, and what does its cybersecurity standard require?
The Chemical Facility Anti-Terrorism Standards (CFATS, 6 CFR Part 27) are CISA-administered security regulations for facilities that hold quantities of chemicals of interest above a Screening Threshold Quantity.
Risk-Based Performance Standard 8 (RBPS 8) — Cyber — requires high-risk chemical facilities to deter cyber sabotage, prevent unauthorized onsite or remote access to critical process controls, and protect security systems and information used to manage them.
CFATS authorization lapsed in July 2023 — does the cybersecurity standard still matter?
Yes. The statutory authority lapsed but the underlying chemical-security risk has not, and reauthorization remains under active congressional consideration.
Facilities with CFATS-tier chemicals continue to face state-level chemical security obligations, insurance and contractual diligence requirements, and CISA voluntary guidance. We advise clients to maintain RBPS 8 controls as a baseline, treat any reauthorized program as a near-term obligation, and use the lapse window to mature ICS/OT cybersecurity beyond the RBPS minimum.
What does Law & Forensics' CFATS cybersecurity assessment cover?
RBPS 8 in full — security policy, access control, personnel security, awareness and training, monitoring and incident response, system development and acquisition, configuration management, audit, and physical/environmental cybersecurity controls.
We evaluate ICS/OT environments (DCS, SCADA, PLC) alongside enterprise IT, and map findings to NIST 800-82 (industrial control systems), the IEC 62443 series, and the CISA Cybersecurity Performance Goals for industrial control systems.
How do you assess OT/ICS cybersecurity at a chemical facility?
We use passive ICS-specific assessment techniques — never active scans on a live process network — combined with documentation review and engineering interviews.
We evaluate IT/OT segmentation, remote-access pathways, vendor maintenance access, secure-by-design implementation, safety-instrumented system isolation, and incident detection. Our methodology is grounded in NIST 800-82 r3 and IEC 62443-2-1 / 62443-3-3.
Does the CFATS cybersecurity assessment differ by facility tier?
Yes. CFATS facilities were tiered 1 through 4, with Tier 1 facilities subject to the most rigorous Site Security Plan and inspection regime.
Higher tiers carry more demanding control expectations under each RBPS, including RBPS 8. We scale assessment rigor accordingly — a Tier 1 facility receives a more exhaustive controls deep-dive and tabletop exercise, while a Tier 4 facility receives a targeted cybersecurity baseline aligned with the facility's actual chemical-security risk profile.
How do you handle a cyber incident at a high-risk chemical facility?
We treat ICS incidents as life-safety events first, regulatory events second.
Containment must not destabilize the process. Our incident response team coordinates with plant engineering, EHS, CISA, the FBI, and (where applicable) state homeland security and EPA, while preserving forensic evidence and preparing notifications under TSA, EPA, and state programs. See our incident response services.