One of the critical elements of the new Department of Homeland Security (DHS) program for protecting chemical facilities from terrorist attack is a full and complete disclosure of sensitive business and security information by thousands of chemical facilities around the country to DHS. In order to get full voluntary compliance DHS needs to convince these companies that the information provided will be protected against disclosure to their competitors as well as terrorists. DHS has established two tools to help assure companies that that information will be protected; the Chemical Security Assessment Tool (CSAT), a secure web site for submitting the information to DHS, and the establishment of Chemical-terrorism Vulnerability Information (CVI), a classification of protected information.

The basic rules for CVI are spelled out in the Interim Final Rule on Chemical Facility Anti-Terrorism Standards (CFATS), 6 CFR part 27, that went into effect on June 8th, 2007. Section 27.400 of this regulation establishes CVI, explains what is covered under the term, the basic information about what must be done to protect CVI, who is authorized to receive CVI and the sanctions that may be applied to personnel, companies and agencies that release CVI to unauthorized personnel.

At a minimum, the following information will be considered to be CVI:

1. Top Screen information provided under section 27.205
2. Security Vulnerability Assessments under section 27.215;
3. Site Security Plans under section 27.225;
4. Documents relating to the Department's review and approval of Security Vulnerability Assessments and Site Security Plans, including Letters of Authorization, Letters of Approval and responses thereto; written notices; and other documents developed pursuant to section 27.240 or 27.245;
5. Alternate Security Programs under section 27.235;
6. Documents relating to inspection or audits under section 27.250;
7. Any records required to be created or retained under section 27.255;
8. Sensitive portions of orders, notices or letters under section 27.300; and
9. Information developed pursuant to section 27.200 and 27.205.

Since DHS has the responsibility to ensure that the CVI is properly protected, they have established a procedure to ensure that people with access to CVI, including personnel at the chemical facilities producing much of the information, are aware of the detailed requirements for the generation, documentation and security of such information. A key part of that procedure is an on-line training program for all personnel who may require access to CVI.

This Chemical-terrorism Vulnerability Information Authorized User Training is a web based training program with an evaluation. Once the evaluation has been completed on-line, an on-line form is submitted to DHS to apply to become an Authorized User. After completing the necessary background checks, DHS will notify that person's parent organization, chemical facility, or government agency that they are authorized users of CVI. That does not automatically give them access to CVI, that can only be done after it has been determined that they have a need to know requirement for that particular CVI; it just means that they have received the CVI equivalent of a security clearance.

Any chemical facility that is going to be producing, receiving, handling, or storing CVI is going to have to prepare for the requirements under section 27.400. First the organization is going to have to appoint a CVI Point of Contact. This person will be responsible for ensuring that all personnel at the facility that will be handling CVI are trained and registered with DHS. They will ensure that all required safeguards for CVI are put into place and enforced at the facility. The Point of Contact will be responsible for determining who has the need-to-know for access to a CVI document at the facility. The Point of Contact will be the go-to-person for people outside of that facility that need to access the CVI from that facility.

The facility will also have to ensure that they have proper safeguards in place for handling and storing CVI documents. It might be advisable for the facility to designate a securable room as an Open Storage Room. Access to the room will have to be strictly limited to those people that have been cleared for access to CVI and have a need to know. The door to the room will have to be locked when no one is physically in the room. Lacking an Open Storage Room, everyone that works on or stores CVI will have to have a lockable container to store the material in when not in use.

For most commercial chemical facilities the requirements for handling, marking, storing and destroying CVI will be something very new. Facilities that have done extensive work for the Department of Defense or Department of Energy will be more familiar with these requirements, because they closely parallel the requirements for handling classified documents. In this case, however, the protection of CVI is done specifically to protect the interests of the chemical facility, not the Federal Government. This should make it easier for the facility personnel to understand why the additional effort is necessary.