ChemLock: Policies, Plans, and Procedures Security Goal

Related topics:
Chemical Security, Critical Infrastructure Security and Resilience

The ChemLock program encourages facilities with dangerous chemicals to develop a holistic, customized, site-specific security plan that mitigates risk and enhances chemical security at the facility. To assist your facility in developing a security plan, the ChemLock program presents five security goals to consider as you evaluate and implement security measures tailored to your facility’s unique circumstances and business model. This is an overview of the policies, plans, and procedures security goal.

Policies, Plans, and Procedures Security Goal

ChemLock Policies, Plans, and Procedures Security Goal

Policies, plans, and procedures ensure you have the capability to manage your facility security plan, including the development and implementation of policies, procedures, and other processes that support security plan implementation and oversight. Your facility’s security plan cannot be effective without combining cyber and physical security measures with written procedures to help you execute all aspects of the security plan.

Examples of Policies, Plans, and Procedures

Examples of policies, plans, and procedures include maintenance, inspection, and testing of security equipment; a security awareness and training program; background checks on personnel; an insider threat program; a visitor escort policy; processes for incident reporting and investigations; and the establishment of roles and responsibilities for facility personnel and recordkeeping policies.

Policies, plans, and procedures will vary by the needs of the facility, but generally include:

  1. Maintenance, inspection, and testing of security equipment. Regular maintenance, inspection, tests, repairs, and improvements to the security, safety, and communications systems increases the reliability of such systems and will improve response time.
  2. Security awareness and training program. A security awareness and training program (SATP) is a predefined and documented set of scheduled activities. This can include training, exercises, drills, tests, and joint initiatives that focus on relevant security-related issues for your facility and enhance the overall
    security awareness of all facility personnel.
  3. Background checks on personnel. Background checks can significantly improve your facility’s ability to deter, detect, and defend against insider threats or other covert attacks. Checks to consider include employment history, educational history, criminal history, and credentials.
  4. Insider threat program. Current or former employees with access to and knowledge of your organization’s internal policies and procedures can intentionally use that access to harm your organization. Carefully consider scenarios for insider threat while developing all areas of your security plan and what could happen if these areas were compromised.
  5. Visitor escort policy. Identification and control mechanisms for visitors can help mitigate the risk posed to your facility by visitors.
  6. Processes for incident reporting and investigations. Your facility should have an incident reporting and investigation program so that all significant security incidents are promptly and adequately reported to the appropriate facility personnel, local law enforcement entities, and CISA, as applicable, and to ensure that investigations are thorough in order to reveal vulnerabilities and identify corrective actions.
  7. Officials, organization, and records. To establish and reinforce a security culture, maintaining a security organization so employees understand their roles and responsibilities as they relate to security is an imperative. In addition, the establishment of a records management program ensures that your organization is following established policies and programs and allows for a comprehensive audit program.

Considerations for Policies, Plans, and Procedures

When developing and implementing policies, plans, and procedures, your facility should account for its operational constraints and business needs. For example, a visitor escort policy will look very different at a retailer when compared to a manufacturing facility. Similarly, maintenance, inspection, and testing of security equipment will vary based on the detection, delay, cyber, and response security measures implemented at the facility.

It is important to ensure that all appropriate facility and third-party personnel are included in the development and implementation of the policies, plans, and procedures. Appropriate personnel should also be thoroughly trained in the policies, plans, and procedures to ensure awareness and familiarity. Policies, plans, and procedures should be tested periodically via exercises or drills so that they remain relevant and up to date.

Building on the ChemLock security goals, the ChemLock program also provides information to help facilities think through a variety of chemical security topics to ensure that your facility security plan is holistic and comprehensive.

List icon

Additional Chemical Security Considerations

The ChemLock program provides a variety of chemical security topics—from drones to no-notice events—that facilities with dangerous chemicals should consider as they develop and implement a facility security plan.

Next Steps

Here are some questions you can use to evaluate your facility’s policies, plans, and procedures:

  • How often is your security equipment inspected and tested?
  • What kind of security awareness and training program has been established?
  • How are background checks conducted for new and current personnel?
  • Is there an established insider threat program?
  • Is there an established reporting process for suspicious activity?
  • Do all personnel know who to contact in the event of a security incident at your facility?
  • What processes have been implemented for keeping records of policies, plans, and procedures?
  • How often are audits or exercises conducted to ensure that policies, plans, and procedures are up to date?

ChemLock Security Goals

Learn more about the other ChemLock security goals.

ChemLock icon in a hexagon

ChemLock Security Goals

CISA encourages facilities with dangerous chemicals to develop a holistic security plan based around five chemical security goals: detection, delay, response, cybersecurity, and policies, plans, and procedures. Learn more about these security goals.
ChemLock Detection Security Goal

ChemLock: Detection Security Goal

Detection is the ability to identify potential attacks or precursors to an attack and to communicate that information as appropriate. Learn more about the detection security goal that can enhance your facility's chemical security posture.
ChemLock Delay Security Goal

ChemLock: Delay Security Goal

Delay includes limiting access to your facility or assets to reduce the likelihood of an adversary successfully breaching the perimeter or assets and allowing sufficient time to initiate a response to the attack. Learn more about the delay security goal.
ChemLock Response Security Goal

ChemLock: Response Security Goal

Response includes the capability to communicate, report, and manage the appropriate reaction(s) to potential attacks and/or adversary actions, and/or to reduce the effect of security-related events. Learn more about how response measures enhance your chemical security posture.
Chemlock logo

ChemLock Security Plan

To help facilities use the ChemLock security goals to develop a security plan or evaluate an existing plan, CISA has a guidance document and security plan template that facilities can download and customize for their facility.

ChemLock Security Plan

ChemLock Services and Tools

Not sure where to start? CISA has security experts across the country that can come to your facility to help you evaluate whether your current security measures adequately address these security goals.

If you want to learn more about these security goals, ChemLock provides training that will walk you through them in greater detail so that you can build a facility security plan tailored for your facility.

To request any of these ChemLock services, please fill out the ChemLock Services Request Form.

Request ChemLock Services
On-Site Assessments and Assistance icon

ChemLock On-Site Assessments and Assistance

CISA's ChemLock program can provide on-site assistance and assessments that help facilities identify the security risks their on-site chemicals present and offer scalable, tailored suggestions for security measures that will best enhance their security posture.
ChemLock Training icon

ChemLock Training

The ChemLock program provides live, on-demand training to assist owners, operators, and facility personnel with understanding the threats that chemicals pose and what security measures can be put into place to reduce the risk of dangerous chemicals being weaponized.
Request ChemLock Services

Contact Information

For more information or questions, please email ChemLock@cisa.dhs.gov.

Note: Participation in any portion of CISA's ChemLock program does not replace any reporting or compliance requirements under CISA's Chemical Facility Anti-Terrorism Standards (CFATS) regulation (6 CFR part 27). Some ChemLock activities may fulfill CFATS requirements, depending on your specific security plan. Contact local CISA Chemical Security personnel or visit the CFATS webpage to learn more about CFATS regulatory requirements.