RISK-BASED PERFORMANCE STANDARDS (RBPS)

CFATS established eighteen Risk-Based Performance Standards (RBPSs) that covered facilities are required to satisfy in their Site Security Plans (SSPs). The RBPSs are the essence of CFATS; each identifies the areas for which a facility’s security measures must be examined and addressed. Compliance with each RBPS is performance-based; DHS cannot mandate the precise manner by which a facility must achieve the specific security outcome.

Eighteen (+ One) Risk-Based Performance Standards

Each facility must address all applicable RBPSs in its SSP. These are:

• Restrict Area Perimeter
• Secure Site Assets
• Screen and Control Access
• Deter, Detect, and Delay
• Shipping, Receipt, and Storage
• Theft and Diversion
• Sabotage
• Cyber
• Response
• Monitoring
• Training
• Personnel Surety
• Elevated Threats
• Specific Threats, Vulnerabilities, or Risks
• Reporting of Significant Security Incidents
• Significant Security Incidents and Suspicious Activities
• Officials and Organization
• Records

DHS added a nineteenth RBPS, permitting DHS to add “any additional performance standards” that may apply to a facility.

CFATS RBPS GUIDANCE

DHS published the CFATS RBPS Guidance document in final form in May 2009. The 194-page document was developed to assist covered facilities select possible measures to satisfy each RBPS, taking into account a facility’s specific tier determination.