CFATS Risk-Based Performance Standard (RBPS) 9 — Response
As of July 28, 2023, Congress has allowed the statutory authority for the Chemical Facility Anti-Terrorism Standards (CFATS) program (6 CFR Part 27) to expire.
Therefore, CISA cannot enforce compliance with the CFATS regulations at this time. This means that CISA will not require facilities to report their chemicals of interest or submit any information in CSAT, perform inspections, or provide CFATS compliance assistance, amongst other activities. CISA can no longer require facilities to implement their CFATS Site Security Plan or CFATS Alternative Security Program.
CISA encourages facilities to maintain security measures. CISA’s voluntary ChemLock resources are available on the ChemLock webpages.
If CFATS is reauthorized, CISA will follow up with facilities in the future. To reach us, please contact CFATS@hq.dhs.gov.
RBPS 9 — Response is the risk-based performance standard that addresses the development and exercising of an emergency plan to respond to security incidents with the assistance of local law enforcement and first responders.
Appropriately trained personnel should prepare for and be able to respond to and recover from security incidents such as a fire, aerial release, or other loss of containment of a chemical of interest (COI) at a chemical facility covered under the Chemical Facility Anti-Terrorism Standards (CFATS) program. Planning and training are important to ensure that facility personnel, onsite security, law enforcement, and first responders are ready to respond to the consequences of a security incident, and to report external and internal security incidents in a timely manner.
The Cybersecurity and Infrastructure Security Agency (CISA) Gateway is a repository of critical infrastructure tools and information—including certain CFATS data on a geospatial map—that improves coordination between federal, state, and local governments, and community stakeholders to prevent, prepare for, and respond to chemical incidents. For more information on who can access CFATS data on the CISA Gateway, visit the CFATS and Executive Order 13650 webpage or download the CFATS and CISA Gateway Fact Sheet.
Security Response vs. Emergency Response
It is important not to confuse a "security response," which is intended to engage and neutralize adversaries, with the broader "emergency response," which follows an attack and attempts to reduce the severity of the event. The initial "security response" has tactical considerations, whereas the "emergency response" relates to containing the damage and mitigating the consequences of a security incident. CFATS-covered facilities should address both security response and emergency response in their emergency plan.
Having established relationships, lines of communications, and plans in place can assist in reducing the impact of these security incidents, which might include:
- Theft or diversion of a COI
- Onsite fire, explosion, or release of a COI
- Loss of containment of a COI
Security Measures for Response
Facilities should consider security measures that involve a response from not only designated facility emergency response personnel, but all facility personnel, as well as local law enforcement and other offsite emergency responders. These security measures include:
- Identifying hazards
- Planning an effective response
- Identifying the number of responders needed
- Identifying the response skills needed for different types of adversary events
- Equipping and training response personnel to maximize their efficiency and knowledge of a site
Crisis Management Plan
One of the most important elements for a successful response to an incident is a well-thought-out, documented crisis management plan, upon which the relevant individuals have been trained.
Crisis management plans should contain strategies for responding to different types of security incidents, including:
- Contingency plans
- Continuity of operations plans
- Emergency response
- Notification control and contact requirements
- Post-incident security (e.g., post-terrorist attack, security incident, accident, hurricane, or other natural disasters)
- Security response
Crisis management plans generally include documented agreements with off-site responders, including:
- Ambulance/medical support
- Environmental restoration support
- Explosive device disposal support
- Firefighting support
- Hazardous spill/recovery support
- Marine support
Training, Drills, and Exercises
The best plans are of limited value in a crisis if the individuals responsible to respond are not prepared. Training, drills, and exercises (such as tabletop and full-scale exercises) play a vital role in maximizing and testing the efficiency of the response plan to a security incident. Involving local first responders when preparing the plan and conducting drills improves responder understanding of the facility's layout and hazards associated with the facility. The first time that local law enforcement or responders access the facility should not be the day of an incident.