A SSP must take into account both the SVA for the covered facility and the applicable RBPS. The plan must identify and describe the function of the measures the facility will employ to close the gaps between the existing security measures and the RBPS for its assigned tier. DHS will determine that the specific options selected by the site owner/operator protect against the various potential attack scenarios in the SVA and adequately address the RBPS.
Covered facilities also will have a continuing obligation, which will vary based on their risk-based tier, to maintain and periodically update their SSP.
RBPS per tier level
There are four risk-based tiers, ranging from highest risk at Tier 1 to lowest risk at Tier 4. This generally means that Tier 1 facilities must effectively demonstrate “more robust” security systems — meaning those with greater capability, reliability and resistance to defeat than those provided by lower tier facilities. DHS will consistently apply performance standards across all tiers, but guidelines for each tier vary relative to the consequence of malevolent acts posed by each facility. As already noted, the Act restrains DHS from requiring any specific measures.
CFATS includes nineteen risk-based performance standards (see Table 1). Each covered facility must select, develop and implement appropriate risk-based measures to satisfy these standards.
(1) Restrict Area Perimeter. Secure and monitor the perimeter of the facility;
(2) Secure Site Assets. Secure and monitor restricted areas or potentially critical targets within the facility;
(3) Screen and Control Access. Control access to the facility and to restricted areas within the facility by screening and/or inspecting individuals and vehicles as they enter, including:
(4) Deter, Detect, and Delay. Deter, detect, and delay an attack, creating sufficient time between detection of an attack and the point at which the attack becomes successful, including measures to:
(5) Shipping, Receipt, and Storage. Secure and monitor the shipping, receipt, and storage of hazardous materials for the facility;
(6) Theft and Diversion. Deter theft or diversion of potentially dangerous chemicals;
(7) Sabotage. Deter insider sabotage;
(8) Cyber. Deter cyber sabotage, including by preventing unauthorized onsite or remote access to critical process controls, such as Supervisory Control And Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), Process Control Systems (PCS), Industrial Control Systems (ICS); critical business systems; and other sensitive computerized systems;
(9) Response. Develop and exercise an emergency plan to respond to security incidents internally and with assistance of local law enforcement and first responders;
(10) Monitoring. Maintain effective monitoring, communications and warning systems, including:
(11) Training. Ensure proper security training, exercises, and drills of facility personnel;
(12) Personnel Surety. Perform appropriate background checks on and ensure appropriate credentials for facility personnel, and as appropriate, for unescorted visitors with access to restricted areas or critical assets, including:
(13) Elevated Threats. Escalate the level of protective measures for periods of elevated threat;
(14) Specific Threats, Vulnerabilities, or Risks. Address specific threats, vulnerabilities or risks identified by the Assistant Secretary for the particular facility at issue;