In Section 550, Congress directed the Department of Homeland Security to identify and secure those chemical facilities that present the greatest security risk. Security risk is a function of the following:
- the consequence of a successful attack on a facility (consequence),
- the likelihood that an attack on a facility will be successful (vulnerability), and
- the intent and capability of an adversary in respect to attacking a facility (threat).
Therefore, Congress and the administration have directed the Department to ensure the security of specifically high-risk chemical facilities.
Risk-Based Performance Standards (RBPS)
Since each chemical facility faces different security challenges, Congress explicitly directed the Department to issue regulations "establishing risk-based performance standards for security chemical facilities."
Performance standards are particularly appropriate in a security context because they provide individual facilities the flexibility to address their unique security challenges. Using performance standards rather than prescriptive standards also helps to increase the overall security of the sector by varying the security practices used by different chemical facilities. Security measures that differ from facility to facility mean that each presents a new and unique problem for an adversary to solve.
Risk-Based Facility Tiering
The Department has developed a risk-based tiering structure that will allow it to focus resources on the high-risk chemical facilities. To that end, the Department will assign facilities to one of four risk-based tiers ranging from high (Tier 1) to low (Tier 4) risk.
Assignment of tiers is based on an assessment of the potential consequences of a successful attack on assets associated with chemicals of interest. The Department of Homeland Security uses information submitted by facilities through the Chemical Security Assessment Tool Top Screen and Security Vulnerability Assessment processes to identify a facility’s risk, which is a function of the potential impacts of an attack (consequences), the likelihood that an attack on the facility would be successful (vulnerabilities), and the likelihood that such an attack would occur at the facility (threat).
All facilities that were individually requested by the Assistant Secretary or that meet the criteria in Appendix A must complete the CSAT Top Screen. The highest tier facilities, or Phase 1 facilities, are those specifically requested by the Assistant Security to complete the Top Screen; these are addressed by the Department first. All facilities that must complete the Top Screen are preliminarily tiered. These facilities are required to complete a Security Vulnerability Assessment (SVA), which provides more in-depth information that allows the Department to assign a final risk tier ranking to the facility.
Preliminarily tier 1, 2, and 3 facilities must subsequently submit a CSAT Security Vulnerability Assessment. Tier 4 facilities may submit an Alternative Security Program (ASP) for the Department of Homeland Security to consider in accordance with 67 CFR 27.235(a). Tier 3 and 4 facilities may choose to submit an Alternative Security Plan for the Site Security Plan for consideration by the Department in accordance with 6 CFR 27.235(a).
Facilities that complete the CSAT Top Screen and do not meet the consequence thresholds are do not need to comply with CFATS.
The Department recognizes that facilities have dedicated and invested time, resources, and capital to identify vulnerabilities and improve overall security. Facilities will be able to make use of information from these improvements. Facilities may also leverage their existing security measures in working toward compliance with CFATS and specifically the risk-based performance standards.
The Department considers a variety of factors in determining the appropriate tier for each high-risk facility, including information about the public health and safety risk, as well as the presence of chemicals with a critical impact on the governance mission and the economy.
The security measures needed to satisfy the risk-based performance standards for each covered facility correspond to the security risks presented by the facility. Accordingly, facilities that present a higher risk will be required to meet more rigorous risk-based performance standards.