CFATS Risk-Based Performance Standard (RBPS) 18 — Records

CFATS Announcement

As of July 28, 2023, Congress has allowed the statutory authority for the Chemical Facility Anti-Terrorism Standards (CFATS) program (6 CFR Part 27) to expire.

Therefore, CISA cannot enforce compliance with the CFATS regulations at this time. This means that CISA will not require facilities to report their chemicals of interest or submit any information in CSAT, perform inspections, or provide CFATS compliance assistance, amongst other activities. CISA can no longer require facilities to implement their CFATS Site Security Plan or CFATS Alternative Security Program.

CISA encourages facilities to maintain security measures. CISA’s voluntary ChemLock resources are available on the ChemLock webpages.

If CFATS is reauthorized, CISA will follow up with facilities in the future. To reach us, please contact

RBPS 18 — Records is the risk-based performance standard that addresses the creation, maintenance, protection, storage, and disposal of specific security-related records pursuant to 6 CFR § 27.255.

The development and maintenance of records can help a chemical facility covered under the Chemical Facility Anti-Terrorism Standards (CFATS) program prepare for a response to a security incident, identity security gaps, ensure security equipment is in good working order, and verify that facility security personnel are familiar with security procedures.

Record Types and Requirements

All records required to be created or retained under 6 CFR § 27.255 are considered Chemical-terrorism Vulnerability Information (CVI) under the CFATS regulation 6 CFR § 27.400((b)(6), and must be protected, maintained, and marked as such, unless records maintained under items 1—5 below were created to satisfy a regulatory requirement other than 6 CFR Part 27. Records must be retained for three years and may include:

  1. Trainings
  2. Drills and exercises
  3. Incidents and breaches of security
  4. Maintenance, calibration, and testing of security equipment
  5. Security threats
  6. Audits (e.g., Site Security Plan [SSP]/Alternative Security Program [ASP] audit)
  7. Letters of Authorization and Approval

Training Records

Under RBPS 11 — Training, the records for training must include:

  • Date and location of each training session
  • Time of day and duration of each session
  • Description of the training
  • Name(s) and qualifications of the instructor(s)
  • List of attendees (including each attendee's signature)
  • At least one unique identifier of each attendee receiving training
  • Results of any evaluation or testing

Records of Drills and Exercises

To satisfy RBPS 9 — Response and RBPS 11 — Training, records for drills and exercises that are part of the facility's training program to prepare its personnel to respond to incidents must include:

  • Date held and description of the drill or exercise
  • List of participants
  • List of equipment (excluding personal equipment) tested or employed in the exercise/drill
  • Name(s) and qualifications of the exercise director(s)
  • Best practices or lessons learned that may improve the SSP

Records of Security Incidents

Under RBPS 15 — Reporting of Significant Security Incidents and RBPS 16 — Significant Security Incidents and Suspicious Activities, records of incidents and breaches of security must include:

  • Date and time of occurrence
  • Location within the facility
  • Description of the incident or breach
  • Name(s) to whom it was reported
  • Description of the response

Maintenance Records

Under RBPS 10 — Monitoring, records of maintenance, calibration, and testing of security equipment must include:

  • Date and time
  • Name(s) and qualifications of the technician(s) doing the work
  • Specific security equipment involved for each occurrence of maintenance, calibration, and testing

Records may also be handled and maintained by third-party contractors but must be available for inspection by CISA upon request.

Records of Security Threats

Under RBPS 13 — Elevated Threats and RBPS 14 — Specific Threats, Vulnerabilities, or Risks, records of security threats must include:

  • Date and time of occurrence
  • How the threat was communicated
  • Name(s) of who received or identified the threat
  • Description of the threat
  • Name(s) to whom it was reported
  • Description of the response

Audit Records

Under RBPS 18 — Records, records of SSP/ASP audits must include:

  • Date of the audit
  • Results of the audit
  • Name(s) of who conducted the audit
  • Letter (or similar document) certified by the covered facility stating the date that the audit was conducted

The first audit must be completed 12 months after the SSP/ASP approval and annually thereafter.

Contact Information

Information provided is derived from the CFATS RBPS Guidance. For additional information on RBPS 18 and all other RBPS, please visit the RBPS webpage.

For more information on the CFATS program, please contact