CFATS Risk-Based Performance Standard (RBPS) 18 – Records


RBPS 18 – Records is the performance standard that addresses the creation, maintenance, protection, storage, and disposal of specific security related records pursuant to 6 CFR § 27.255.

The development and maintenance of records can help a chemical facility covered under the Chemical Facility Anti-Terrorism Standards (CFATS) program prepare for a response to a security incident, identity security gaps, ensure security equipment is in good working order, and verify that facility security personnel are familiar with security procedures.

  • Read or download the CFATS RBPS Guidance.
  • Read or download the RBPS 18 – Records Fact Sheet.
  • Read or download the Sample Records for RBPS 18. The Cybersecurity and Infrastructure Security Agency (CISA) has identified industry best practices in developing and maintaining these records under the above guidance. The sample records are voluntary tools that a facility may find helpful in complying with RBPS 18 and can be tailored to the facility's specific needs.

Record Types and Requirements

All records required to be created or retained under 6 CFR § 27.255 are considered Chemical-terrorism Vulnerability Information (CVI) under the CFATS regulation 6 CFR § 27.400((b)(6), and must be protected, maintained, and marked as such, unless records maintained under items 1–5 were created to satisfy a regulatory requirement other than 6 CFR Part 27. Records must be retained for three years and may include:

  1. Trainings
  2. Drills and exercises
  3. Incidents and breaches of security
  4. Maintenance, calibration, and testing of security equipment
  5. Security threats
  6. Audits (e.g., Site Security Plan [SSP]/Alternative Security Program [ASP] audit)
  7. Letters of Authorization and Approval

Training Records

Under RBPS 11 – Training, the records for training must include:

  • Date and location of each training session
  • Time of day and duration of each session
  • Description of the training
  • Name(s) and qualifications of the instructor(s)
  • List of attendees (including each attendee’s signature)
  • At least one unique identifier of each attendee receiving training
  • Results of any evaluation or testing

Records of Drills and Exercises

To satisfy RBPS 9 – Response and RBPS 11 – Training, records for drills and exercises that are part of the facility’s training program to prepare its personnel to respond to incidents must include:

  • Date held and description of the drill or exercise
  • List of participants
  • List of equipment (excluding personal equipment) tested or employed in the exercise/drill
  • Name(s) and qualifications of the exercise director(s)
  • Best practices or lessons learned that may improve the SSP

Records of Security Incidents

Under RBPS 15 – Reporting of Significant Security Incidents and RBPS 16 – Significant Security Incidents and Suspicious Activities, records of incidents and breaches of security must include:

  • Date and time of occurrence
  • Location within the facility
  • Description of the incident or breach
  • Name(s) to whom it was reported
  • Description of the response

Maintenance Records

Under RBPS 10 – Monitoring, records of maintenance, calibration, and testing of security equipment must include:

  • Date and time
  • Name(s) and qualifications of the technician(s) doing the work
  • Specific security equipment involved for each occurrence of maintenance, calibration, and testing

Records may also be handled and maintained by third-party contractors but must be available for inspection by CISA upon request.

Records of Security Threats

Under RBPS 13 – Elevated Threats and RBPS 14 – Specific Threats, Vulnerabilities, or Risks, records of security threats must include:

  • Date and time of occurrence
  • How the threat was communicated
  • Name(s) of who received or identified the threat
  • Description of the threat
  • Name(s) to whom it was reported
  • Description of the response

Audit Records

Under RBPS 18 – Records, records of SSP/ASP audits must include:

  • Date of the audit
  • Results of the audit
  • Name(s) of who conducted the audit
  • Letter (or similar document) certified by the covered facility stating the date that the audit was conducted

The first audit must be completed 12 months after the SSP/ASP approval and annually thereafter.

Contact Information

Information provided is derived from the CFATS RBPS Guidance. For additional information on RBPS 18 and all other RBPS, please visit the RBPS webpage.

For more information on the CFATS program, please contact CFATS@hq.dhs.gov.

Was this webpage helpful?  Yes  |  Somewhat  |  No