In Section 550, Congress directed the Department of Homeland Security to identify and secure those chemical facilities that present the greatest security risk. Security risk is a function of:
- The consequence of a successful attack on a facility (consequence);
- The likelihood that an attack on a facility will be successful (vulnerability); and
- The intent and capability of an adversary in respect to attacking a facility (threat).
Therefore, Congress and the administration have directed the Department to ensure the security of specifically high-risk chemical facilities.
Risk for Chemical Facility Anti-Terrorism Standards (CFATS)
Since each chemical facility faces different security challenges, Congress explicitly directed the Department to issue regulations "establishing risk-based performance standards for security chemical facilities."
These risk-based performance standards (RBPS) are particularly appropriate in a security context because they provide individual facilities the flexibility to address their unique security challenges. Using performance standards rather than prescriptive standards also helps to increase the overall security of the sector by varying the security practices used by different chemical facilities. Security measures that differ from facility to facility mean that each presents a new and unique problem for an adversary to solve.
Risk-Based Facility Tiering
The Department has developed a risk-based tiering structure that will allow it to focus resources on the high-risk chemical facilities. To that end, the Department will assign facilities to one of four risk-based tiers ranging from high (Tier 1) to low (Tier 4) risk.
Assignment of tiers is based on an assessment of the potential consequences of a successful attack on assets associated with chemicals of interest. The Department uses information submitted by facilities through the Chemical Security Assessment Tool (CSAT) Top-Screen and Security Vulnerability Assessment (SVA) processes to identify a facility’s risk, which is a function of the potential impacts of an attack (consequences), the likelihood that an attack on the facility would be successful (vulnerabilities), and the likelihood that such an attack would occur at the facility (threat).
All facilities that were individually requested by the Assistant Secretary or that meet the criteria in Appendix A must complete the Top-Screen. The highest tier facilities, or Phase 1 facilities, are those specifically requested by the Assistant Security to complete the Top-Screen; these are addressed by the Department first. All facilities that must complete the Top-Screen are preliminarily tiered. These facilities are required to complete an SVA, which provides more in-depth information that allows the Department to assign a final risk tier ranking to the facility.
Preliminarily Tier 1, 2, and 3 facilities must subsequently submit an SVA. Tier 4 facilities may submit an Alternative Security Program (ASP) for the Department to consider in accordance with 67 CFR 27.235(a). Tier 3 and 4 facilities may choose to submit an Alternative Security Plan for the Site Security Plan (SSP) for consideration by the Department in accordance with 6 CFR 27.235(a).
Facilities that complete the Top-Screen and do not meet the consequence thresholds do not need to comply with CFATS.
The Department recognizes that facilities have dedicated and invested time, resources, and capital to identify vulnerabilities and improve overall security. Facilities will be able to make use of information from these improvements. Facilities may also leverage their existing security measures in working toward compliance with CFATS and specifically the RBPS.
The Department considers a variety of factors in determining the appropriate tier for each high-risk facility, including information about the public health and safety risk, as well as the presence of chemicals with a critical impact on the governance mission and the economy.
The security measures needed to satisfy the risk-based performance standards for each covered facility correspond to the security risks presented by the facility. Accordingly, facilities that present a higher risk will be required to meet more rigorous risk-based performance standards.
Additional Information on Complying with RBPS
RBPS 8 - Cyber
RBPS 8 - Cyber addresses the prevention of unauthorized on-site or remote access to critical process controls, critical business systems, and other sensitive computerized systems.
RBPS 9 - Response
RBPS 9 - Response addresses the development and exercising of an emergency plan to mitigate and respond to security incidents in a timely manner.
RBPS 12 - Personnel Surety
RBPS 12 - Personnel Surety addresses the background checks facilities are required to perform on people who have access to restricted areas or critical assets.
RBPS 18 - Records
For more information regarding the CFATS program, please contact CFATS@hq.dhs.gov.