Risk-Based Performance Standards (RBPS)

Collage of images that show computer monitors, row of binders, and a chain fence.Since each chemical facility faces different security challenges, Congress explicitly directed the Department of Homeland Security to issue regulations "establishing risk-based performance standards for security at chemical facilities." The Department’s Infrastructure Security Compliance Division (ISCD) developed 18 Risk-Based Performance Standards (RBPS) that all chemical facilities determined to be “high-risk” must meet in their security plan (Site Security Plan (SSP) or Alternative Security Plan (ASP)) in order to be in compliance with CFATS.

The non-prescriptive nature of a performance standard allows individual facilities the flexibility to address their unique security challenges by selecting the most cost-effective measures or activities to achieve the desired level of performance for each RBPS given the facility’s tier level.

RBPS Guidance

The Department recognizes that facilities have dedicated and invested time, resources, and capital to identify vulnerabilities and improve overall security. Facilities may leverage their existing security measures in working toward compliance with CFATS, and specifically the RBPS.

The CFATS RBPS Guidance assists high-risk chemical facilities in selecting security measures and activities that comply with the CFATS regulations at their tier level, and are tailored to the unique considerations of each facility.

A facility must submit their SSP/ASP detailing the programs, processes, or measures they choose to implement to meet the RBPS. DHS reviews the SSP/ASP, combined with an on-site inspection, to determine if the facility meets the desired level of performance for each RBPS.

RBPS Overarching Security Guidelines

Security measures that differ from facility to facility mean that each facility’s suite of security measures present a new and unique problem for an adversary to solve. To assist chemical facilities take a holistic approach to their security posture and determine the appropriate security measures, a facility may think about RBPS through the use of five guideposts: Detection, Delay, Response, Cyber, and Security Management. These guideposts are the overall security objectives that the RPBS address. Each guidepost bridges multiple RBPS and can be satisfied through one or more of those RBPS.

Detection

The capability to identify potential attacks or precursors to an attack—hostile attack, theft, diversion, and/or sabotage of a chemical of interest— and to communicate that information, as appropriate.

RBPS that fall under Detection include: RBPS 1 (Restrict Area Perimeter); RBPS 2 (Secure Site Assets); RBPS 3 (Screen and Control Access); RBPS 4 (Deter, Detect and Delay); RBPS 5 (Shipping, Receipt and Storage); RBPS 6 (Theft and Diversion); RBPS 7 (Sabotage)

Delay

The capability to slow down an adversary’s progress sufficiently to allow adequate protective forces to respond by the use of physical security measures, business administrative/procedural measures, and other security management processes.

RBPS that fall under Delay include: RBPS 1 (Restrict Area Perimeter); RBPS 2 (Secure Site Assets); RBPS 3 (Screen and Control Access); RBPS 4 (Deter, Detect and Delay); RBPS 5 (Shipping, Receipt and Storage); RBPS 6 (Theft and Diversion); RBPS 7 (Sabotage)

Response

The capability to communicate, report and manage the appropriate reaction(s) to potential attacks and/or adversary actions and/or to reduce the effect of security related events.

RBPS that fall under Response include: RBPS 9 (Response); RBPS 11 (Training); RBPS 13 (Elevated Threats); RBPS 14 (Specific Threats, Vulnerabilities, or Risks)

Cyber

The capability to secure critical cyber systems from unauthorized on-site or remote access to critical process controls.

RBPS that fall under Cyber include: RBPS 8 (Cyber)

Security Management

The capability to manage the SSP, including the development and implementation of policies, procedures and other processes that support SSP implementation and oversight.

RBPS that fall under Security Management include: RBPS 10 (Monitoring); RBPS 11 (Training); RBPS 12 (Personnel Surety); RBPS 15 (Reporting of Significant Security Incidents); RBPS 16 (Significant Security Incidents and Suspicious Activities); RBPS 17 (Officials and Organization); RBPS 18 (Records)

RBPS Resources

The CFATS RBSP Guidance and these fact sheets are tools to assists high-risk chemical facilities in selecting security measures and activities that comply with the CFATS regulations at their tier level, and are tailored to the unique considerations of each facility.

RBPS 8 - Cyber addresses the prevention of unauthorized on-site or remote access to critical process controls, critical business systems, and other sensitive computerized systems.

RBPS 9 - Response addresses the development and exercising of an emergency plan to mitigate and respond to security incidents in a timely manner. 

RBPS 12 - Personnel Surety addresses the background checks facilities are required to perform on people who have access to restricted areas or critical assets.

RBPS 15 and RBPS 16 - Reporting Significant Security Incidents address the development of protocols and procedures to promptly and adequately identify, investigate, and report all significant security incidents and suspicious activities in or near the site to the appropriate facility personnel, local law enforcement, and/or DHS.

RBPS 18 - Records addresses the creation, maintenance, protection, storage, and disposal of specific security related records pursuant to 6 CFR § 27.255.

Contact Information

Visit the CFATS Knowledge Center for an online repository of frequently asked questions, articles, and the latest news related to the CFATS program.

For more information regarding the CFATS program, please contact CFATS@hq.dhs.gov.

Last Published Date: May 23, 2018

Was this page helpful?

This page was not helpful because the content:
Back to Top