“To assist high-risk facilities in selecting and implementing appropriate protective measures and practices and to assist DHS personnel in consistently evaluating those measures and practices for purposes of the Chemical Facility Anti-Terrorism Standards (CFATS), 6 CFR Part 27”.RBPS Guidance Document Disclaimer At the top of the Overview page and the beginning page of the discussion for each performance standard DHS has included a text box that contains an official disclaimer. While the disclaimer is rather extensive the important parts are covered in just two sentences:
“This guidance reflects DHS’s current views on certain aspects of the Risk-Based Performance Standards (RBPSs) and does not establish legally enforceable requirements for facilities subject to CFATS or impose any burdens on the covered facilities. Further, the specific security measures and practices discussed in this document are neither mandatory nor necessarily the 'preferred solution' for complying with the RBPSs.”It is obvious that DHS takes the Congressional mandate requiring RBPS very seriously. Wording similar to these two sentences from the disclaimer shows up repeatedly throughout the text. DHS wants to make sure that no one mistakes the RBPS guidance for a prescriptive, command-type regulatory document. General Guidance While the Guidance document provides detailed discussions about how to select appropriate security measures for each of the 18 performance standards, the introductory portion provides some general guidelines or ‘considerations’ that facilities should take into account when selecting and developing their security procedures. Briefly stated those considerations (pages 15 – 19) are:
“The Non-Prescriptive Nature of Risk-Based Performance Standards. “The Impact of the Nature of the Security Issue Underlying the Facility’s Risk Determination. “The Impact of the Type of Facility and Its Physical and Operating Environments. “An Individual Measure May Support Achievement of Multiple Risk-Based Performance Standards. “Layered Security/Combining Barriers and Monitoring to Increase Delay. “Asset-Specific vs. Facility-Wide Measures.”These considerations (to be discussed in more depth in later blogs in this series) reflect the varied nature of the different high-risk chemical facilities covered by the CFATS regulations. They also go a long way toward explaining why the RBPS are so critical to the CFATS process; it is highly unlikely that any specific security procedure would support these considerations for a significant number of high-risk facilities. COI and RBPS Requirements The various types of security problems that a high-risk chemical facility will have to deal with in their SSP will vary with the COI that are stored or used on site. The guidance document provides some examples of how this might work. For instance, “if a facility has no dangerous chemicals for which theft or diversion is a security issue, then it does not need to implement any additional measures to comply with RBPS 6 – Theft and Diversion” (page 11). This does not mean that a facility can ignore any of the 18 RBPS listed in 6 CFR § 27.230. They must all be addressed in the SSP. However, when “a facility believes it can satisfy a RBPS without the implementation of any specific security measures or practices, the basis for this belief should be clearly articulated in the facility’s Site Security Plan”. Tier Level Affects RBPS Requirements The other major factor that will affect a high-risk chemical facilities selection of security measures is the level of risk found at that facility. This risk level is reflected in the Tier level to which the company was assigned after their SVA submission. This reflects the intent of Congress to insure that the facilities that presented the highest risk to the public would have to take the most precautions to protect the public. Some of the RBPS are less affected by facility tier level than others. The response to the ‘Restrict Area Perimeter’ (RBPS #1) standard will certainly be more robust for Tier 1 facilities. The facility SSP provisions for the ‘Reporting of Significant Security Incidents’ (RBPS #15) will be less dependant on the facility tier status. This will be reflected in the discussion for each RBPS. Future Blogs In future blogs I will take a more detailed look how this Guide is organized and at the individual RBPS. When this document becomes publicly available I will certainly note that and provide information on where to download this lengthy (178 pages) document. In the next week or so we can expect to see this published in the Federal Register along with notification of how the public and industry can provide their comments on the document.