CFATS Risk-Based Performance Standard (RBPS) 11 — Training
As of July 28, 2023, Congress has allowed the statutory authority for the Chemical Facility Anti-Terrorism Standards (CFATS) program (6 CFR Part 27) to expire.
Therefore, CISA cannot enforce compliance with the CFATS regulations at this time. This means that CISA will not require facilities to report their chemicals of interest or submit any information in CSAT, perform inspections, or provide CFATS compliance assistance, amongst other activities. CISA can no longer require facilities to implement their CFATS Site Security Plan or CFATS Alternative Security Program.
CISA encourages facilities to maintain security measures. CISA’s voluntary ChemLock resources are available on the ChemLock webpages.
If CFATS is reauthorized, CISA will follow up with facilities in the future. To reach us, please contact CFATS@hq.dhs.gov.
RBPS 11 — Training is the performance standard that addresses security and response training, exercises, and drills for facility personnel. By properly training its personnel, a facility prepares them to better identify and respond to suspicious behavior, attempts to enter or attack a facility, or other malevolent acts by insiders or intruders.
A strong training program typically includes personnel-specific exercises and drills, and joint activities involving law enforcement and first responders. Well-trained personnel who practice how to react and who understand the facility's layout will be more effective at detecting attackers, delaying intruders, initiating response activities, and reducing the consequences of an attack.
Security Awareness and Training Program
Under RBPS 11, a facility should maintain a Security Awareness and Training Program (SATP)—a predefined and documented set of training activities that focuses on relevant security-related issues and enhances facility personnel's overall security awareness.
A comprehensive SATP applies to all levels of facility personnel, including executives, management, and operational and technical employees. Objectives may include reviewing response plans, policies, and procedures, and ensuring personnel are familiar with security equipment operations.
A comprehensive SATP should include:
- Training: Hands-on activities, orientations, online or interactive programs, and briefings.
- Exercises: Predefined, documented set of activities that represent a realistic rehearsal of an emergency.
- Drills: Exercises focused on a single specific operation or function.
- Tests: Demonstrations that show the correct operation of all equipment, procedures, processes, and systems.
- Joint Initiatives: Training, exercises, or drills that involve the participation of entities outside of the facility.
Tailoring Training Requirements
A facility should consider creating training specific to its risks and security concerns. For example, all facilities should emphasize reporting of a security incident, but a release facility—toxic, flammable, or explosive COI that would affect populations within and beyond the facility if intentionally released—should specifically focus on ensuring the workforce has strong vehicle-borne improvised explosive device (VBIED) recognition and notification protocols.
Additionally, a facility should consider tailoring training topics to specific classes of employees, as not all personnel need the same level of training. For example, detailed training on security procedures, the operation of security equipment, and security laws and regulations is more beneficial for employees with specific security responsibilities. Conversely, certain topics, such as incident identification and notification, would be beneficial for the entire workforce.
Considerations and Best Practices
- Consider obtaining input from staff on training needs.
- Invite community representatives to provide training.
- Include first responders to improve their understanding of the layout and hazards associated with the facility.
- Align training with other regulatory requirements (e.g., Hazardous Materials Endorsement [HME], Occupational Safety and Health Administration [OSHA]), and include existing training.
- Provide formal training on a set schedule (e.g., annually), but also hold more frequent, informal sessions.
- Include regional or location-specific information as part of your training, if applicable.
Available Training and Resources
Below are a variety of free tools and resources that chemical security partners and stakeholders can use.
- The Chemical Sector Risk Management Agency collaborates with government and sector partners to provide security awareness trainings and resources. For more information, visit the Chemical Sector webpage.
- CISA's ChemLock program offers live, on-demand training to assist owners, operators, facility personnel, retailers, and emergency personnel with understanding the threats that chemicals pose and what security measures can be put into place to reduce the risk of dangerous chemicals being weaponized.
- The Federal Emergency Management Agency (FEMA) provides more than 700 trainings, from emergency planning to chemical spills.
- The Environmental Protection Agency (EPA) provides online courses that grant certification for various Department of Transportation (DOT) and OSHA regulations. At times, facilities can align these trainings with your CFATS trainings.
- The National Terrorism Advisory System (NTAS) provides timely, detailed information about terrorist threats to the American public.
- The National Institute of Standards and Technology (NIST) Computer Security Resource Center provides resources on computer, cyber, and information security and privacy.
- The CISA Cyber Resource Hub has a variety of cybersecurity resources and trainings.
- Active Shooter Preparedness has information on workshops and other resources.
- Commercial Facilities Training includes trainings that may be applicable to chemical facilities, such as surveillance detection.
- CISA Bombing Prevention provides counter-improvised explosive device (C-IED) trainings.