ChemLock: Policies, Plans, and Procedures Security Goal
The ChemLock program encourages facilities with dangerous chemicals to develop a holistic, customized, site-specific security plan that mitigates risk and enhances chemical security at the facility. To assist your facility in developing a security plan, the ChemLock program presents five security goals to consider as you evaluate and implement security measures tailored to your facility’s unique circumstances and business model. This is an overview of the policies, plans, and procedures security goal.
Policies, Plans, and Procedures Security Goal
Policies, plans, and procedures ensure you have the capability to manage your facility security plan, including the development and implementation of policies, procedures, and other processes that support security plan implementation and oversight. Your facility’s security plan cannot be effective without combining cyber and physical security measures with written procedures to help you execute all aspects of the security plan.
Examples of Policies, Plans, and Procedures
Examples of policies, plans, and procedures include maintenance, inspection, and testing of security equipment; a security awareness and training program; background checks on personnel; an insider threat program; a visitor escort policy; processes for incident reporting and investigations; and the establishment of roles and responsibilities for facility personnel and recordkeeping policies.
Policies, plans, and procedures will vary by the needs of the facility, but generally include:
- Maintenance, inspection, and testing of security equipment. Regular maintenance, inspection, tests, repairs, and improvements to the security, safety, and communications systems increases the reliability of such systems and will improve response time.
- Security awareness and training program. A security awareness and training program (SATP) is a predefined and documented set of scheduled activities. This can include training, exercises, drills, tests, and joint initiatives that focus on relevant security-related issues for your facility and enhance the overall
security awareness of all facility personnel.- The ChemLock program provides no-cost chemical security training that your facility can sign up for or request a special session for your facility.
- Background checks on personnel. Background checks can significantly improve your facility’s ability to deter, detect, and defend against insider threats or other covert attacks. Checks to consider include employment history, educational history, criminal history, and credentials.
- The ChemLock program has a personnel background check policy template that facilities can download and customize to meet their own unique needs.
- Insider threat program. Current or former employees with access to and knowledge of your organization’s internal policies and procedures can intentionally use that access to harm your organization. Carefully consider scenarios for insider threat while developing all areas of your security plan and what could happen if these areas were compromised.
- Learn more about CISA's Insider Threat Mitigation program.
- Visitor escort policy. Identification and control mechanisms for visitors can help mitigate the risk posed to your facility by visitors.
- Processes for incident reporting and investigations. Your facility should have an incident reporting and investigation program so that all significant security incidents are promptly and adequately reported to the appropriate facility personnel, local law enforcement entities, and CISA, as applicable, and to ensure that investigations are thorough in order to reveal vulnerabilities and identify corrective actions.
- Learn more about developing a process for reporting suspicious activity and security incidents.
- Officials, organization, and records. To establish and reinforce a security culture, maintaining a security organization so employees understand their roles and responsibilities as they relate to security is an imperative. In addition, the establishment of a records management program ensures that your organization is following established policies and programs and allows for a comprehensive audit program.
Considerations for Policies, Plans, and Procedures
When developing and implementing policies, plans, and procedures, your facility should account for its operational constraints and business needs. For example, a visitor escort policy will look very different at a retailer when compared to a manufacturing facility. Similarly, maintenance, inspection, and testing of security equipment will vary based on the detection, delay, cyber, and response security measures implemented at the facility.
It is important to ensure that all appropriate facility and third-party personnel are included in the development and implementation of the policies, plans, and procedures. Appropriate personnel should also be thoroughly trained in the policies, plans, and procedures to ensure awareness and familiarity. Policies, plans, and procedures should be tested periodically via exercises or drills so that they remain relevant and up to date.
Building on the ChemLock security goals, the ChemLock program also provides information to help facilities think through a variety of chemical security topics to ensure that your facility security plan is holistic and comprehensive.
Additional Chemical Security Considerations
Next Steps
Here are some questions you can use to evaluate your facility’s policies, plans, and procedures:
- How often is your security equipment inspected and tested?
- What kind of security awareness and training program has been established?
- How are background checks conducted for new and current personnel?
- Is there an established insider threat program?
- Is there an established reporting process for suspicious activity?
- Do all personnel know who to contact in the event of a security incident at your facility?
- What processes have been implemented for keeping records of policies, plans, and procedures?
- How often are audits or exercises conducted to ensure that policies, plans, and procedures are up to date?
ChemLock Security Goals
Learn more about the other ChemLock security goals.
ChemLock Security Goals
ChemLock: Detection Security Goal
ChemLock: Delay Security Goal
ChemLock: Response Security Goal
ChemLock Security Plan
To help facilities use the ChemLock security goals to develop a security plan or evaluate an existing plan, CISA has a guidance document and security plan template that facilities can download and customize for their facility.
ChemLock Services and Tools
Not sure where to start? CISA has security experts across the country that can come to your facility to help you evaluate whether your current security measures adequately address these security goals.
If you want to learn more about these security goals, ChemLock provides training that will walk you through them in greater detail so that you can build a facility security plan tailored for your facility.
To request any of these ChemLock services, please fill out the ChemLock Services Request Form.
ChemLock On-Site Assessments and Assistance
ChemLock Training
Contact Information
For more information or questions, please email ChemLock@cisa.dhs.gov.
Note: Participation in any portion of CISA's ChemLock program does not replace any reporting or compliance requirements under CISA's Chemical Facility Anti-Terrorism Standards (CFATS) regulation (6 CFR part 27). Some ChemLock activities may fulfill CFATS requirements, depending on your specific security plan. Contact local CISA Chemical Security personnel or visit the CFATS webpage to learn more about CFATS regulatory requirements.