Chemical Facility Anti-Terrorism Standards (CFATS) Risk-Based Performance Standards (RBPS)

CFATS Announcement

As of July 28, 2023, Congress has allowed the statutory authority for the Chemical Facility Anti-Terrorism Standards (CFATS) program (6 CFR Part 27) to expire.

Therefore, CISA cannot enforce compliance with the CFATS regulations at this time. This means that CISA will not require facilities to report their chemicals of interest or submit any information in CSAT, perform inspections, or provide CFATS compliance assistance, amongst other activities. CISA can no longer require facilities to implement their CFATS Site Security Plan or CFATS Alternative Security Program.

CISA encourages facilities to maintain security measures. CISA’s voluntary ChemLock resources are available on the ChemLock webpages.

If CFATS is reauthorized, CISA will follow up with facilities in the future. To reach us, please contact CFATS@hq.dhs.gov.

Learn more about ChemLock

Collage of four risk-based performance standards (RBPS): RBPS 8 - Cyber, RBPS 10 - Monitoring, RBPS 18 - Records, RBPS 1 - Restrict Area Perimeter

Since each chemical facility faces different security challenges, Congress explicitly directed the Department of Homeland Security to issue regulations "establishing risk-based performance standards for security at chemical facilities."

The Department developed 18 Risk-Based Performance Standards (RBPS) that all chemical facilities determined to be "high-risk" must meet in their security plan (Site Security Plan [SSP] or Alternative Security Program [ASP]) in order to be in compliance with the Chemical Facility Anti-Terrorism Standards (CFATS).

RBPS Guidance

CISA recognizes that facilities have dedicated and invested time, resources, and capital to identify vulnerabilities and improve overall security. The nonprescriptive nature of a performance standard allows individual facilities the flexibility to address their unique security challenges by selecting the most cost-effective measures or activities to achieve the desired level of performance for each RBPS given the facility's tier level. Facilities may leverage their existing security measures in working toward compliance with CFATS, and specifically the RBPS.

The CFATS RBPS Guidance assists high-risk chemical facilities in selecting security measures and activities that comply with the CFATS regulations at their tier level and are tailored to the unique considerations of each facility.

Chemical Facility Anti-Terrorism Standards (CFATS) Risk-Based Performance Standards (RBPS) Guidance(PDF, 1.86 MB )

A facility must submit their SSP/ASP detailing the programs, processes, or measures they choose to implement to meet the RBPS. CISA reviews the SSP/ASP, combined with an onsite inspection, to determine if the facility meets the desired level of performance for each RBPS.

Overview of Risk-Based Performance Standards

The Risk-Based Performance Standards video (YouTube video) provides an overview of the 18 RBPS, which assist high-risk chemical facilities in selecting security measures and activities that comply with the CFATS regulation.

RBPS Overarching Security Guidelines

Security measures that differ from facility to facility mean that each facility's suite of security measures presents a new and unique problem for an adversary to solve. To assist chemical facilities in taking a holistic approach to their security posture and determine the appropriate security measures, a facility may think about RBPS through the use of five overarching security objectives: Detection, Delay, Response, Cyber, and Security Management. These guideposts are the overall security objectives that the RPBS address. Each objective spans multiple RBPS and can be satisfied through one or more of those RBPS.

Detection and Delay

Detection is the capability to identify potential attacks or precursors to an attack—hostile attack, theft, diversion, and/or sabotage of a chemical of interest—and to communicate that information, as appropriate.

Delay is the capability to slow down an adversary’s progress sufficiently to allow adequate protective forces to respond by the use of physical security measures, business administrative/procedural measures, and other security management processes.

Detection and Delay standards address a facility's processes, measures, and activities to identify potential attacks, to delay an attack, and to create sufficient time for security personnel to respond before the attack becomes successful.

RBPS that fall under Detection and Delay include:

RBPS 1 — Restrict Area Perimeter
RBPS 2 — Secure Site Assets
RBPS 3 — Screen and Control Access
RBPS 4 — Deter, Detect, and Delay
RBPS 5 — Shipping, Receipt, and Storage
RBPS 6 — Theft and Diversion
RBPS 7 — Sabotage

Response

The capability to communicate, report, and manage the appropriate reaction(s) to potential attacks and/or adversary actions, and/or to reduce the effect of security related events. RBPS that fall under Response include:

RBPS 9 — Response
RBPS 11 — Training
RBPS 13 — Elevated Threats
RBPS 14 — Specific Threats, Vulnerabilities, or Risks

Cyber

The capability to secure critical cyber systems from unauthorized onsite or remote access to critical process controls. RBPS that fall under Cyber include:

RBPS 8 — Cyber

Security Management

The capability to manage the SSP, including the development and implementation of policies, procedures, and other processes that support SSP implementation and oversight. RBPS that fall under Security Management include:

RBPS 10 — Monitoring
RBPS 11 — Training
RBPS 12 — Personnel Surety
RBPS 15 — Reporting of Significant Security Incidents
RBPS 16 — Significant Security Incidents and Suspicious Activities
RBPS 17 — Officials and Organization
RBPS 18 — Records

Contact Information

For questions, please send an email to CFATS@hq.dhs.gov.

For more information regarding the CFATS program, please contact CFATS@hq.dhs.gov.