ChemLock and Risk Based Performance Standards

This is part of a series of blog posts looking at the potential for the authorization of CISA’s existing ChemLock program and using it as a voluntary replacement for the now defunct Chemical Facility Anti-Terrorism Standards (CFATS) program. Other posts in this series include:

• CFATS is Dead,

• Making ChemLock Safety Act Compliant – ChemLock Program Background,

• ChemLock and Tiering,

• Reader Comment – TSDB Screening for ChemLock,

• ChemLock and TSDB Screening.

NOTE: Previous articles in this series have been removed from the CFSN Detailed Analysis paywall.

One of the key concepts upon which the CFATS program was founded is that the diversity of chemical facilities makes it nearly impossible to establish a security program which would fit each and every facility. So, when the CFATS regulations were written, DHS attempted to describe the outcome that they wanted to see from facility security programs rather than mandate what security measures facilities would be required to use. These risk based performance standards (RBPS) were codified at 6 CFR 27.230. Any authorization of the ChemLock program should direct CISA to take the same tack in making the program Safety Act (6 USC 441 et seq) compliant.

CFATS RPBS

Subsection 27.230(a) outlines the 19 specific RBPS enforced in the CFATS program. They are:

1. Restrict area perimeter. Secure and monitor the perimeter of the facility. Secure site assets.

2. Secure and monitor restricted areas or potentially critical targets within the facility.

3. Screen and control access. Control access to the facility and to restricted areas within the facility by screening and/or inspecting individuals and vehicles as they enter.

4. Deter, detect, and delay. Deter, detect, and delay an attack, creating sufficient time between detection of an attack and the point at which the attack becomes successful.

5. Shipping, receipt, and storage. Secure and monitor the shipping, receipt, and storage of hazardous materials for the facility.

6. Theft and diversion. Deter theft or diversion of potentially dangerous chemicals.

7. Sabotage. Deter insider sabotage.

8. Cyber. Deter cyber sabotage, including by preventing unauthorized onsite or remote access to critical process controls, such as Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), Process Control Systems (PCS), Industrial Control Systems (ICS), critical business system, and other sensitive computerized systems.

9. Response. Develop and exercise an emergency plan to respond to security incidents internally and with assistance of local law enforcement and first responders.

10. Monitoring. Maintain effective monitoring, communications and warning systems.

11. Training. Ensure proper security training, exercises, and drills of facility personnel.

12. Personnel surety. Perform appropriate background checks on and ensure appropriate credentials for facility personnel, and as appropriate, for unescorted visitors with access to restricted areas or critical assets.

13. Elevated threats. Escalate the level of protective measures for periods of elevated threat.

14. Specific threats, vulnerabilities, or risks. Address specific threats, vulnerabilities or risks identified by the Executive Assistant Director for the particular facility at issue.

15. Reporting of significant security incidents. Report significant security incidents to the Department and to local law enforcement officials.

16. Significant security incidents and suspicious activities. Identify, investigate, report, and maintain records of significant security incidents and suspicious activities in or near the site.

17. Officials and organization. Establish official(s) and an organization responsible for security and for compliance with these standards.

18. Records. Maintain appropriate records.

ChemLock and Security Goals

The ChemLock program, as currently formulated, does not have quite the same RBPS approach to addressing security issues. It does, however, recognize that each facility will have its own peculiar security risks and concerns, and will require its own unique security program. To guide the development of that program, ChemLock has five security goals expressed as questions:

• Can you DETECT an attack or suspicious activity?

• Can you DELAY the adversary?

• Are you able to RESPOND in a timely manner?

• Are you protecting your CYBER assets?

• Do you have the appropriate POLICIES, PLANS, and PROCEDURES to implement your plan?

One key word from the CFATS RBPS that is missing from the ChemLock goals is the word ‘deter’. The CFATS program was specifically designed to encourage facilities to take a variety of actions to help terrorists decide that an attack on the facility was going to be too difficult to attempt and look elsewhere for a target. The current ChemLock goals could easily be updated by inserting a new number one goal:

Have you taken steps to DETER an adversary from deciding to attack?

RBPS Guidance

While the RBPS are much more detailed than the six security goals described above, it is no clear that they would be that much more helpful to facilities in trying to craft a security plan. DHS clearly understood that the regulatory RBPS were not a helpful guide for security planning, especially for facilities that were little practiced in security, or had no in-house security expertise. So, in May, 2009, as the newly identified ‘covered facilities’ were gearing up to craft their new Site Security Plans, DHS issued their Risk-Based Performance Standards Guidance document.

That document discussed each performance standard in some detail, those discussions included:

• A brief description of the intent of performance standard,

• Security measures and considerations for achieving that performance standard, and

• Tier based metrics by which a facility could be judged to have achieved the described standard.

That document was still being used in its original form when the CFATS program was terminated in July 2023. It was, to be sure, more than a little dated, and needed to be upgraded to address new threats (ransomware attacks and uncrewed aircraft systems, for instance). The reason that it remained a useful guidance document was that it was backed up by the up-to-date knowledge of a cadre of chemical security inspectors who had previously helped other chemical facilities craft site security plans and implement those plans.

RBPS Metrics

The CFATS program was clearly a regulatory program. As such it needed measures the agency could use to establish whether or not a facility was within compliance. The RBPS Guidance document provided a series of metrics for each component of the RBPS. Each tier was provided with a written statement describing what the facility had to achieve to successfully meet each RBPS requirement. Where a requirement did not apply to a specific Tier, the metric was clearly stated as “N/A”.

In crafting their Site Security Plans, facilities (working in coordination with their CSI) addressed each RBPS standard. Once the facility and DHS agreed that the site security plan met all of the appropriate standards for each RBPS, the SSP was approved by DHS, and became the standard by which the facility would be periodically be adjudged (via inspection by those same CSI) to be in compliance with the CFATS regulation.

Moving Forward

The current ChemLock security goals, properly fleshed out, could easily become the basis for a quasi-regulatory scheme by which facilities could be judged to be eligible for SAFETY Act protections. A version of the CFATS RBPS Guidance document would have to be created, tailored to the six security goals included in the updated ChemLock program and the proposed 5 risk tiers proposed in my earlier post.