Chemical Facility Anti-Terrorism Standards (CFATS) Risk-Based Performance Standards (RBPS)
As of July 28, 2023, Congress has allowed the statutory authority for the Chemical Facility Anti-Terrorism Standards (CFATS) program (6 CFR Part 27) to expire.
Therefore, CISA cannot enforce compliance with the CFATS regulations at this time. This means that CISA will not require facilities to report their chemicals of interest or submit any information in CSAT, perform inspections, or provide CFATS compliance assistance, amongst other activities. CISA can no longer require facilities to implement their CFATS Site Security Plan or CFATS Alternative Security Program.
CISA encourages facilities to maintain security measures. CISA’s voluntary ChemLock resources are available on the ChemLock webpages.
If CFATS is reauthorized, CISA will follow up with facilities in the future. To reach us, please contact CFATS@hq.dhs.gov.
Since each chemical facility faces different security challenges, Congress explicitly directed the Department of Homeland Security to issue regulations "establishing risk-based performance standards for security at chemical facilities."
The Department developed 18 Risk-Based Performance Standards (RBPS) that all chemical facilities determined to be "high-risk" must meet in their security plan (Site Security Plan [SSP] or Alternative Security Program [ASP]) in order to be in compliance with the Chemical Facility Anti-Terrorism Standards (CFATS).
CISA recognizes that facilities have dedicated and invested time, resources, and capital to identify vulnerabilities and improve overall security. The nonprescriptive nature of a performance standard allows individual facilities the flexibility to address their unique security challenges by selecting the most cost-effective measures or activities to achieve the desired level of performance for each RBPS given the facility's tier level. Facilities may leverage their existing security measures in working toward compliance with CFATS, and specifically the RBPS.
The CFATS RBPS Guidance assists high-risk chemical facilities in selecting security measures and activities that comply with the CFATS regulations at their tier level and are tailored to the unique considerations of each facility.
A facility must submit their SSP/ASP detailing the programs, processes, or measures they choose to implement to meet the RBPS. CISA reviews the SSP/ASP, combined with an onsite inspection, to determine if the facility meets the desired level of performance for each RBPS.
Overview of Risk-Based Performance Standards
The Risk-Based Performance Standards video (YouTube video) provides an overview of the 18 RBPS, which assist high-risk chemical facilities in selecting security measures and activities that comply with the CFATS regulation.
RBPS Overarching Security Guidelines
Security measures that differ from facility to facility mean that each facility's suite of security measures presents a new and unique problem for an adversary to solve. To assist chemical facilities in taking a holistic approach to their security posture and determine the appropriate security measures, a facility may think about RBPS through the use of five overarching security objectives: Detection, Delay, Response, Cyber, and Security Management. These guideposts are the overall security objectives that the RPBS address. Each objective spans multiple RBPS and can be satisfied through one or more of those RBPS.
Detection and Delay
Detection is the capability to identify potential attacks or precursors to an attack—hostile attack, theft, diversion, and/or sabotage of a chemical of interest—and to communicate that information, as appropriate.
Delay is the capability to slow down an adversary’s progress sufficiently to allow adequate protective forces to respond by the use of physical security measures, business administrative/procedural measures, and other security management processes.
Detection and Delay standards address a facility's processes, measures, and activities to identify potential attacks, to delay an attack, and to create sufficient time for security personnel to respond before the attack becomes successful.
RBPS that fall under Detection and Delay include:
- RBPS 1 — Restrict Area Perimeter
- RBPS 2 — Secure Site Assets
- RBPS 3 — Screen and Control Access
- RBPS 4 — Deter, Detect, and Delay
- RBPS 5 — Shipping, Receipt, and Storage
- RBPS 6 — Theft and Diversion
- RBPS 7 — Sabotage
The capability to communicate, report, and manage the appropriate reaction(s) to potential attacks and/or adversary actions, and/or to reduce the effect of security related events. RBPS that fall under Response include:
- RBPS 9 — Response
- RBPS 11 — Training
- RBPS 13 — Elevated Threats
- RBPS 14 — Specific Threats, Vulnerabilities, or Risks
The capability to secure critical cyber systems from unauthorized onsite or remote access to critical process controls. RBPS that fall under Cyber include:
The capability to manage the SSP, including the development and implementation of policies, procedures, and other processes that support SSP implementation and oversight. RBPS that fall under Security Management include: