CFATS Risk-Based Performance Standard (RBPS) 1-7 — Detection and Delay
As of July 28, 2023, Congress has allowed the statutory authority for the Chemical Facility Anti-Terrorism Standards (CFATS) program (6 CFR Part 27) to expire.
Therefore, CISA cannot enforce compliance with the CFATS regulations at this time. This means that CISA will not require facilities to report their chemicals of interest or submit any information in CSAT, perform inspections, or provide CFATS compliance assistance, amongst other activities. CISA can no longer require facilities to implement their CFATS Site Security Plan or CFATS Alternative Security Program.
CISA encourages facilities to maintain security measures. CISA’s voluntary ChemLock resources are available on the ChemLock webpages.
If CFATS is reauthorized, CISA will follow up with facilities in the future. To reach us, please contact CFATS@hq.dhs.gov
Detecting and delaying an intrusion or attack on a high-risk chemical facility is a critical component of a facility's security.
The security processes, measures, and activities a covered facility chooses to implement must meet the appropriate risk-based performance standard (RBPS) requirements under the Chemical Facility Anti-Terrorism Standards (CFATS) program for the security issues related to the facility's chemicals of interest (COI) and tier level.
The security measures that address the 18 RBPS fall within five overarching security objectives—Detection, Delay, Response, Cyber, and Security Management—that assist covered chemical facilities in taking a holistic approach to their overall security posture. Detection and Delay are two of the five security objectives and include RBPS 1-7.
- RBPS 1 — Restrict Area Perimeter
- RBPS 2 — Secure Site Assets
- RBPS 3 — Screen and Control Access
- RBPS 4 — Deter, Detect, and Delay
- RBPS 5 — Shipping, Receipt, and Storage
- RBPS 6 — Theft or Diversion
- RBPS 7 — Sabotage
Detection and Delay Overview
A facility's detection measures should be commensurate with its efforts to delay an attack and the ability to create sufficient time for response by appropriate security personnel between detection of an attack and the point at which the attack becomes successful.
- A theft or diversion attack becomes successful when COI is taken offsite through theft or deception and used in an attack. Facilities should detect the action prior to its success.
- A release attack becomes successful when the release of the COI affects the population that is targeted. Release COI have three subcategories: toxic, flammable, or explosive. A toxic release is dependent on the release rate (release can occur slowly) and can be mitigated by containments or other measures, whereas an explosive release happens instantly with little mitigation to slow or stop the effects.
- A sabotage attack occurs offsite as a result of onsite tampering, so detection of tampering at the point of shipment of the COI is most appropriate for these facilities.
Facilities may choose to deploy security measures at the perimeter, asset, or both. Defining assets and deploying security measures at specific assets is particularly important for facilities that require restriction to some employees, customers, etc.
Security Measure Tips for Detection
For a protective system to prevail, detection needs to occur prior to an attack (i.e., in the attack-planning stages) or early enough in the attack to create sufficient delay between the point of detection of the attack and its successful conclusion to allow time for the arrival of adequate response forces to thwart the attempt. Detection may be achieved by using systems, personnel, or a combination of both.
If security measures include the use of systems (e.g., intrusion detection system [IDS] or closed-circuit television [CCTV]), the facility should seek to ensure that the systems cover the appropriate areas or entry points, are activated at the appropriate times, and issue an alarm to a responsible and trained individual to initiate a response.
If the facility utilizes employees or onsite security personnel, they should be capable and trained to provide intrusion detection capabilities and be dedicated to or conduct patrols of the necessary areas.
Security Measure Tips for Delay
A facility should be able to delay an attack for a sufficient period of time to allow appropriate response by security personnel via barriers and barricades (e.g., fencing, walls, locking mechanisms, bollards) and hardened targets. These measures may delay attacks from both personnel and vehicles attempting to access the critical asset.
Delay measures should also take into account security issues. For example, a facility with release COI should consider strong vehicle barriers and sufficient vehicle standoff distances around the COI. The required standoff distances vary depending on the building components used in the construction of the facility.
Facilities should also consider their business operations, especially if they ship, receive, or sell COI. These facilities should consider having delay security measures that include a "know-your-customer" program, in-transit tracking of COI, and confirmation of shipments. Similarly, a facility may put security measures in place to conduct and manage inventory of COI.
Developing a "know-your-customer" program allows a facility to ensure that COI is delivered to or received from a known, approved individual or entity, and helps prevent the theft or diversion of materials through force or deception. An active, documented "know-your-customer" program may include a policy of refusing to sell hazardous materials to those who do not meet the pre-established customer qualification criteria such as:
- Verification and/or evaluation of the customer's on-site security
- Verification that shipping addresses are valid business locations
- Confirmation of financial status
- Establishment of normal business-to-business payment terms and methods (e.g., not allowing cash sales)
- Verification of product end-use