Skip to main content
U.S. flag

An official website of the United States government

Here’s how you know

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

HTTPS

Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Cybersecurity & Infrastructure Security Agency
America's Cyber Defense Agency

Search

 
 
  • Topics
    Cybersecurity Best Practices
    Cyber Threats and Advisories
    Critical Infrastructure Security and Resilience
    Election Security
    Emergency Communications
    Industrial Control Systems
    Information and Communications Technology Supply Chain Security
    Partnerships and Collaboration
    Physical Security
    Risk Management
    How can we help?
    GovernmentEducational InstitutionsIndustryState, Local, Tribal, and TerritorialIndividuals and FamiliesSmall and Medium BusinessesFind Help Locally
  • Spotlight
  • Resources & Tools
    All Resources & Tools
    Services
    Programs
    Resources
    Training
    Groups
  • News & Events
    News
    Events
    Cybersecurity Alerts & Advisories
    Directives
    Request a CISA Speaker
    Congressional Testimony
  • Careers
    Benefits & Perks
    HireVue Applicant Reasonable Accommodations Process
    Hiring
    Resume & Application Tips
    Students & Recent Graduates
    Veteran and Military Spouses
    Work @ CISA
  • About
    Culture
    Divisions & Offices
    Regions
    Leadership
    Doing Business with CISA
    Contact Us
    Site Links
    Reporting Employee and Contractor Misconduct
    CISA GitHub
Report a Cyber Issue
America's Cyber Defense Agency
Breadcrumb
  1. Home
  2. Resources & Tools
  3. Programs
  4. Chemical Facility Anti-Terrorism Standards (CFATS)
Share:

Chemical Facility Anti-Terrorism Standards (CFATS) Risk-Based Performance Standards (RBPS)

Collage of four risk-based performance standards (RBPS): RBPS 8 - Cyber, RBPS 10 - Monitoring, RBPS 18 - Records, RBPS 1 - Restrict Area Perimeter

Since each chemical facility faces different security challenges, Congress explicitly directed the Department of Homeland Security to issue regulations "establishing risk-based performance standards for security at chemical facilities."

The Department developed 18 Risk-Based Performance Standards (RBPS) that all chemical facilities determined to be "high-risk" must meet in their security plan (Site Security Plan [SSP] or Alternative Security Program [ASP]) in order to be in compliance with the Chemical Facility Anti-Terrorism Standards (CFATS).

RBPS Guidance

CISA recognizes that facilities have dedicated and invested time, resources, and capital to identify vulnerabilities and improve overall security. The nonprescriptive nature of a performance standard allows individual facilities the flexibility to address their unique security challenges by selecting the most cost-effective measures or activities to achieve the desired level of performance for each RBPS given the facility's tier level. Facilities may leverage their existing security measures in working toward compliance with CFATS, and specifically the RBPS.

The CFATS RBPS Guidance assists high-risk chemical facilities in selecting security measures and activities that comply with the CFATS regulations at their tier level and are tailored to the unique considerations of each facility.

Chemical Facility Anti-Terrorism Standards (CFATS) Risk-Based Performance Standards (RBPS) Guidance (PDF, 1.86 MB )

A facility must submit their SSP/ASP detailing the programs, processes, or measures they choose to implement to meet the RBPS. CISA reviews the SSP/ASP, combined with an onsite inspection, to determine if the facility meets the desired level of performance for each RBPS.

Overview of Risk-Based Performance Standards

The Risk-Based Performance Standards video (YouTube video) provides an overview of the 18 RBPS, which assist high-risk chemical facilities in selecting security measures and activities that comply with the CFATS regulation.

RBPS Overarching Security Guidelines

Security measures that differ from facility to facility mean that each facility's suite of security measures presents a new and unique problem for an adversary to solve. To assist chemical facilities in taking a holistic approach to their security posture and determine the appropriate security measures, a facility may think about RBPS through the use of five overarching security objectives: Detection, Delay, Response, Cyber, and Security Management. These guideposts are the overall security objectives that the RPBS address. Each objective spans multiple RBPS and can be satisfied through one or more of those RBPS.

Detection and Delay

Detection is the capability to identify potential attacks or precursors to an attack—hostile attack, theft, diversion, and/or sabotage of a chemical of interest—and to communicate that information, as appropriate.

Delay is the capability to slow down an adversary’s progress sufficiently to allow adequate protective forces to respond by the use of physical security measures, business administrative/procedural measures, and other security management processes.

Detection and Delay standards address a facility's processes, measures, and activities to identify potential attacks, to delay an attack, and to create sufficient time for security personnel to respond before the attack becomes successful.

RBPS that fall under Detection and Delay include:

  • RBPS 1 — Restrict Area Perimeter
  • RBPS 2 — Secure Site Assets
  • RBPS 3 — Screen and Control Access
  • RBPS 4 — Deter, Detect, and Delay
  • RBPS 5 — Shipping, Receipt, and Storage
  • RBPS 6 — Theft and Diversion
  • RBPS 7 — Sabotage

Response

The capability to communicate, report, and manage the appropriate reaction(s) to potential attacks and/or adversary actions, and/or to reduce the effect of security related events. RBPS that fall under Response include:

  • RBPS 9 — Response
  • RBPS 11 — Training
  • RBPS 13 — Elevated Threats
  • RBPS 14 — Specific Threats, Vulnerabilities, or Risks

Cyber

The capability to secure critical cyber systems from unauthorized onsite or remote access to critical process controls. RBPS that fall under Cyber include:

  • RBPS 8 — Cyber

Security Management

The capability to manage the SSP, including the development and implementation of policies, procedures, and other processes that support SSP implementation and oversight. RBPS that fall under Security Management include:

  • RBPS 10 — Monitoring
  • RBPS 11 — Training
  • RBPS 12 — Personnel Surety
  • RBPS 15 — Reporting of Significant Security Incidents
  • RBPS 16 — Significant Security Incidents and Suspicious Activities
  • RBPS 17 — Officials and Organization
  • RBPS 18 — Records

Contact Information

Visit the CFATS Knowledge Center for an online repository of FAQs, articles, and the latest CFATS news.

For more information regarding the CFATS program, please contact CFATS@hq.dhs.gov.

Return to top
  • Topics
  • Spotlight
  • Resources & Tools
  • News & Events
  • Careers
  • About
Cybersecurity & Infrastructure Security Agency
  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS
CISA Central 888-282-0870 Central@cisa.dhs.gov
DHS Seal
CISA.gov
An official website of the U.S. Department of Homeland Security
  • About CISA
  • Accessibility
  • Budget and Performance
  • DHS.gov
  • FOIA Requests
  • No FEAR Act
  • Office of Inspector General
  • Privacy Policy
  • Subscribe
  • The White House
  • USA.gov
  • Website Feedback