RBPS 18 - Records

Risk-Based Performance Standards (RBPS) 18 – Records is the performance standard that addresses the creation, maintenance, protection, storage, and disposal of specific security related records pursuant to 6 CFR § 27.255.

The development and maintenance of records can help a covered chemical facility prepare for a response to a security incident, identity security gaps, ensure security equipment is in good working order, and that facility security personnel are familiar with security procedures.

Record Types and Requirements

All records required to be created or retained under 6 CFR § 27.255 are considered Chemical-terrorism Vulnerability Information (CVI) under the Chemical Facility Anti-Terrorism Standards (CFATS) regulation 6 CFR § 27.400((b)(6), and must be protected, maintained, and marked as such, unless records maintained under items 1–5 were created to satisfy a regulatory requirement other than 6 CFR Part 27.

Records may include:

  1. Trainings
  2. Drills and exercises
  3. Incidents and breaches of security
  4. Maintenance, calibration, and testing of security equipment
  5. Security threats
  6. Audits (e.g., Site Security Plan [SSP]/Alternative Security Program [ASP] audit)
  7. Letters of Authorization and Approval

All of the aforementioned records are required to be retained for at least three years.

Training Records

Under RBPS 11 - Training, the records for training must include:

  • Date and location of each training session
  • Time of day and duration of each session
  • Description of the training
  • Name and qualifications of the instructor
  • List of attendees (including each attendee’s signature)
  • At least one unique identifier of each attendee receiving training
  • Results of any evaluation or testing

Records of Drills and Exercises

As part of a facility’s training program and to prepare for a response to an incident, facilities may conduct drills and exercises to satisfy RBPS 9 - Response and RBPS 11 - Training. These records must include:

  • Date held and description of the drill or exercise
  • List of participants
  • List of equipment (other than personal equipment) tested or employed in the exercise
  • Name(s) and qualifications of the exercise director
  • Any best practices or lessons learned that may improve the SSP

Records of Security Incidents

Under RBPS 15 - Reporting of Significant Security Incidents and RBPS 16 - Significant Security Incidents and Suspicious Activities, the facility must maintain records of incidents and breaches of security, which must include:

  • Date and time of occurrence
  • Location within the facility
  • Description of the incident or breach
  • Identity of the individual(s) to whom it was reported
  • Description of the incident

Maintenance Records

Under RBPS 10 - Monitoring, the facility must retain records of maintenance, calibration, and testing of security equipment, which must include:

  • Date and time
  • Name and qualifications of the technician(s) doing the work
  • Specific security equipment involved for each occurrence of maintenance, calibration, and testing

Records may also be handled and maintained by third-party contractors, but must be available for inspection by CISA upon request.

Records of Security Threats

Under RBPS 13 - Elevated Threats and RBPS 14 - Specific Threats, Vulnerabilities, or Risks, the facility is required to retain records of security threats, which must include:

  • Date and time of occurrence
  • How the threat was communicated
  • Who received or identified the threat
  • Description of the threat
  • To whom it was reported
  • Description of the response

Audit Records

Under RBPS 18, the facility is required to conduct and retain records of SSP/ASP audits, which must include:

  • Date of the audit
  • Results of the audit
  • Names(s) of the person(s) who conducted the audit
  • Letter (or similar document) certified by the covered facility stating the date that the audit was conducted

The first audit must be completed 12 months after the SSP/ASP approval and annually thereafter.

Contact Information

Information provided is derived from the CFATS RBPS Guidance. For additional information on RBPS 18 and all other CISA RBPS, please visit the RBPS webpage.

For more information on the CFATS program, please contact CFATS@hq.dhs.gov.

Was this document helpful?  Yes  |  Somewhat  |  No