"High risk" chemical sites covered by the Chemical Facility Anti-Terrorism Standards (CFATS) of the U.S. Department of Homeland Security (DHS) now should be receiving letters giving the DHS’ final determination of the consequence tiers into which they fall. With that determination in hand, they must move to meet Site Security Plan (SSP) requirements of the particular tier. So, here we delve into how Risk-Based Performance Standards (RBPS) metrics drive the SSP requirements and how best to deal with the requirements. The DHS began evaluating public comments submitted on the draft Risk-Based Performance Standards Guidance in late November 2008 (see http://www.dhs.gov/xprevprot/programs/gc_1224871388487.shtm). This guidance was developed to assist high-risk chemical facilities in selecting and implementing protective measures and practices to meet the applicable RBPS depending on their final tier designation. The current 18 RBPS (19 counting the “any additional” caveat that allows the DHS to add future standards) cover securing and monitoring the site, controlling access, coordinating emergency response and crisis management, training, recordkeeping, and a dozen other related topic areas. Each has graduated levels of performance expectations (metrics) applicable to one or more of the four tiers. A site can use a variety of measures to satisfy any given RBPS, resulting in “layers of protection,” where the same measures could address more than one RBPS.
Rule Affects Many Facilities
CFATS required over 36,000 sites handling specific chemicals of interest to complete a Top Screen. From this group, the DHS tentatively designated nearly 7,000 as “high risk” chemical sites. Each of these had to submit a Security Vulnerability Assessment. The DHS then assigned the sites to one of four tiers, based on the risk posed. The final push of the CFATS rule — its essence — is to prove compliance to Risk-Based Performance Standards, to complete the SSP and to continually implement the plan.
The draft RBPS Guidance describes the general level of performance that facilities should strive to achieve under every RBPS in each of the four tiers. It also seeks to help facilities comply with CFATS by detailing the 18 RBPS as well as providing examples of various security measures and practices that facilities could consider for each RBPS at each tier. Managers of a high-risk facility have the option to choose and implement the suggested measures or other similar measures to meet the RBPS level of performance based on the site’s tier level.
Covered facilities have provided to DHS, via an online Security Vulnerability Assessment (SVA), with facility information, limited asset characterization, collateral blast impact estimates for various terrorist scenarios and related security data. The SVA process doesn’t provide facility managers with much viable “vulnerability” information upon which to base decisions for overall, cohesive security upgrades. Additionally, because the CFATS regulation specifically addresses terrorist threats, the singular focus on “high end” threats overlooks less malevolent but potentially more likely adversaries that also should be evaluated and addressed if the facility is to maintain a comprehensive security program.
The RBPS metrics and the SSP raise some issues that aren’t well appreciated.
RBPS metrics. The draft RBPS Guidance only reflects the DHS’ view on various performance standards without the force or effect of law. The enabling legislation forbids the DHS from specifying security measures. However, while specific security measures and practices identified in the guidance aren’t mandatory and may not reflect the preferred solution in every case, they certainly are examples of measures and practices that high-risk facilities may wish to strongly consider as part of the overall strategy to address the RBPS. The unspoken truth is that these measures likely mirror the DHS’ perception and, so, it’s prudent to believe that they will be seen by inspectors as the “text book” solution set.