“High risk” chemical sites covered by the Chemical Facility Anti-Terrorism Standards (CFATS) of the U.S. Department of Homeland Security (DHS) now should be receiving letters giving the DHS’ final determination of the consequence tiers into which they fall (see “Rule Affects Many Facilities” sidebar). With that determination in hand, they must move to meet Site Security Plan (SSP) requirements of the particular tier. So, here we delve into how Risk-Based Performance Standards (RBPS) metrics drive the SSP requirements and how best to deal with the requirements.
The DHS began evaluating public comments submitted on the draft Risk-Based Performance Standards Guidance in late November 2008 (see http://www.dhs.gov/xprevprot/programs/gc_1224871388487.shtm). This guidance was developed to assist high-risk chemical facilities in selecting and implementing protective measures and practices to meet the applicable RBPS depending on their final tier designation. The current 18 RBPS (19 counting the “any additional” caveat that allows the DHS to add future standards) cover securing and monitoring the site, controlling access, coordinating emergency response and crisis management, training, recordkeeping, and a dozen other related topic areas. Each has graduated levels of performance expectations (metrics) applicable to one or more of the four tiers. A site can use a variety of measures to satisfy any given RBPS, resulting in “layers of protection,” where the same measures could address more than one RBPS.
CFATS required over 36,000 sites handling specific chemicals of interest to complete a Top Screen. From this group, the DHS tentatively designated nearly 7,000 as “high risk” chemical sites. Each of these had to submit a Security Vulnerability Assessment. The DHS then assigned the sites to one of four tiers, based on the risk posed. The final push of the CFATS rule — its essence — is to prove compliance to Risk-Based Performance Standards, to complete the SSP and to continually implement the plan.
The draft RBPS Guidance describes the general level of performance that facilities should strive to achieve under every RBPS in each of the four tiers. It also seeks to help facilities comply with CFATS by detailing the 18 RBPS as well as providing examples of various security measures and practices that facilities could consider for each RBPS at each tier. Managers of a high-risk facility have the option to choose and implement the suggested measures or other similar measures to meet the RBPS level of performance based on the site’s tier level.
Covered facilities have provided to DHS, via an online Security Vulnerability Assessment (SVA), with facility information, limited asset characterization, collateral blast impact estimates for various terrorist scenarios and related security data. The SVA process doesn’t provide facility managers with much viable “vulnerability” information upon which to base decisions for overall, cohesive security upgrades. Additionally, because the CFATS regulation specifically addresses terrorist threats, the singular focus on “high end” threats overlooks less malevolent but potentially more likely adversaries that also should be evaluated and addressed if the facility is to maintain a comprehensive security program (see “Consider the Whole Picture” sidebar).