Risk-Based Performance Standards (RBPS) 18 – Records is the performance standard that addresses the creation, maintenance, protection, storage, and disposal of specific security related records pursuant to 6 CFR § 27.255.
The development and maintenance of records can help a covered chemical facility prepare for a response to a security incident, identity security gaps, ensure security equipment is in good working order, and that facility security personnel are familiar with security procedures.
- Read or download the CFATS RBPS Guidance
- Read or download the RBPS 18 - Records Fact Sheet
- Read or download the Sample Records for RBPS 18: CISA has identified best practices among industry in developing and maintaining records under the above guidance. The sample records are voluntary tools that can be tailored to your specific facility and needs.
Record Types and Requirements
All records required to be created or retained under 6 CFR § 27.255 are considered Chemical-terrorism Vulnerability Information (CVI) under the Chemical Facility Anti-Terrorism Standards (CFATS) regulation 6 CFR § 27.400((b)(6), and must be protected, maintained, and marked as such, unless records maintained under items 1–5 were created to satisfy a regulatory requirement other than 6 CFR Part 27.
Records may include:
- Drills and exercises
- Incidents and breaches of security
- Maintenance, calibration, and testing of security equipment
- Security threats
- Audits (e.g., Site Security Plan [SSP]/Alternative Security Program [ASP] audit)
- Letters of Authorization and Approval
All of the aforementioned records are required to be retained for at least three years.
Under RBPS 11 - Training, the records for training must include:
- Date and location of each training session
- Time of day and duration of each session
- Description of the training
- Name and qualifications of the instructor
- List of attendees (including each attendee’s signature)
- At least one unique identifier of each attendee receiving training
- Results of any evaluation or testing
Records of Drills and Exercises
As part of a facility’s training program and to prepare for a response to an incident, facilities may conduct drills and exercises to satisfy RBPS 9 - Response and RBPS 11 - Training. These records must include:
- Date held and description of the drill or exercise
- List of participants
- List of equipment (other than personal equipment) tested or employed in the exercise
- Name(s) and qualifications of the exercise director
- Any best practices or lessons learned that may improve the SSP
Records of Security Incidents
Under RBPS 15 - Reporting of Significant Security Incidents and RBPS 16 - Significant Security Incidents and Suspicious Activities, the facility must maintain records of incidents and breaches of security, which must include:
- Date and time of occurrence
- Location within the facility
- Description of the incident or breach
- Identity of the individual(s) to whom it was reported
- Description of the incident
Under RBPS 10 - Monitoring, the facility must retain records of maintenance, calibration, and testing of security equipment, which must include:
- Date and time
- Name and qualifications of the technician(s) doing the work
- Specific security equipment involved for each occurrence of maintenance, calibration, and testing
Records may also be handled and maintained by third-party contractors, but must be available for inspection by CISA upon request.
Records of Security Threats
Under RBPS 13 - Elevated Threats and RBPS 14 - Specific Threats, Vulnerabilities, or Risks, the facility is required to retain records of security threats, which must include:
- Date and time of occurrence
- How the threat was communicated
- Who received or identified the threat
- Description of the threat
- To whom it was reported
- Description of the response
Under RBPS 18, the facility is required to conduct and retain records of SSP/ASP audits, which must include:
- Date of the audit
- Results of the audit
- Names(s) of the person(s) who conducted the audit
- Letter (or similar document) certified by the covered facility stating the date that the audit was conducted
The first audit must be completed 12 months after the SSP/ASP approval and annually thereafter.