CHEMICAL-TERRORISM VULNERABILITY INFORMATION
1
WARNING: This record contains Chemical-terrorism Vulnerability Information controlled by 6 CFR 27.400. Do not disclose
to persons without a “need to know” in accordance with 6 CFR § 27.400(e). Unauthorized release may result in civil penalties
or other action. In any administrative or judicial proceeding, this information shall be treated as classified information in
accordance with 6 CFR 27.400(h) and (i).
CHEMICAL-TERRORISM VULNERABILITY INFORMATION
CFATS Alternate Security Program
Company Name
Facility Name
Table of Contents
Prologue: Responsible Care/Responsible Distribution - Enhancing CFATS Compliance .... 3
1.
Facility Identification and Terminology .............................................................................. 5
2.
Facility Operating and Security Organizations (RBPS 17) ............................................... 5
3.
Chemicals of Interest (COIs)/Security-Vulnerability Issue (All RBPSs).......................... 6
4.
CFATS Compliance Time Line ............................................................................................ 6
5.
Facility Description (RBPS 1, 2) ........................................................................................... 7
6.
Perimeter Security (RBPS 1, 2, 3, 4, 6*, 7*) ........................................................................ 7
7.
Access Control (RBPS 1, 2, 3, 4, 5, 6*, 7*, 12) ..................................................................... 7
8.
Security Monitoring & Response (RBPS 1, 2, 4, 6*, 7*, 9, 11, 15, NOT RBPS 10) .......... 8
9.
Emergency Response and Contingency Operations (RBPS 4, 7*, 9, 11) .......................... 9
10.
Shipping and Receiving (RBPS 5, 6*, 7*, 9, 11) ................................................................ 9
11.
Theft (RBPS 6) ................................................................................................................... 10
12.
Sabotage/Contamination (RBPS 7) .................................................................................. 10
13.
Cyber Security (RBPS 8) ................................................................................................... 11
14.
Security Equipment Inspection, Testing & Preventive Maintenance (RBPS 10) ........ 14
15.
Training (RBPS 8, 9, 11, 16).............................................................................................. 14
16.
Personnel Surety (RBPS 12) ............................................................................................. 15
17.
NTAS Threat Escalation, Specific Threats (RBPS 13, 14) ............................................. 15
18.
Security Incident Identification, Reporting & Investigation (RBPS 8, 15, 16) ............ 16
19.
Recordkeeping (RBPS 18) ................................................................................................. 16
20.
SSP/ASP Audits .................................................................................................................. 17
21.
Planned and Proposed Security Measures ...................................................................... 17
22.
Attachments ........................................................................................................................ 17
Sections address RBPs listed in the section titles. Underscore signifies primary emphasis.
Asterisk signifies applicability only if facility is tiered for that issue (theft or sabotage).
2
WARNING: This record contains Chemical-terrorism Vulnerability Information controlled by 6 CFR
27.400. Do not disclose to persons without a “need to know” in accordance with 6 CFR § 27.400(e).
Unauthorized release may result in civil penalties or other action. In any administrative or judicial
proceeding, this information shall be treated as classified information in accordance with 6 CFR 27.400(h)
and (i).
CHEMICAL-TERRORISM VULNERABILITY INFORMATION
Prologue: Responsible Care/Responsible Distribution - Enhancing CFATS Compliance
BACKGROUND
Member companies of the American Chemistry Council (ACC) and the National Association of Chemical
Distributors (NACD) are committed to continuous security improvement through their respective industry
programs; Responsible Care and Responsible Distribution. Implementation of these programs is
mandatory for all members of ACC and NACD. These programs address physical site, supply chain, and
cyber security at all member locations, as well as other membership requirements. As a result, ACC and
NACD members are required to conduct Site Security Vulnerability Assessments using approved
methodologies and implement security measures that are verified by credible and independent third
parties.
Industry programs can be leveraged by state and federal regulators through regulatory recognition. By
recognizing compliance under an industry program, regulators can apply credit toward compliance with a
regulatory program where the same elements overlap. Some current examples where an industry program
has been recognized includes the City of Baltimore and the state of Maryland, where operators in those
jurisdictions can substitute Responsible Care compliance for certain security regulations. Industry
programs can also be used as a basis for alternative compliance programs, as in the case of the Coast
Guard MTSA Alternate Security Plan (ASP).
ACC and NACD members have been able to leverage implementation of their respective industry
programs to help them meet the regulatory requirements of CFATS, since these programs are highly
consistent and complement one another. For purposes of completing this ASP for CFATS compliance,
DHS reviewers should give consideration to ACC and NACD members’ commitment and proactive
leadership to enhancing security across all facets of their operations.
HOW THE RESPONSIBLE CARE AND RESPONSIBLE DISTRIBUTION SECURITY CODES
WORK
ACC and NACD’s Security Codes are very similar in content and expectations from their member
companies. Each has 13 management practices or elements that require member companies to conduct
comprehensive security vulnerability assessments (SVAs) and implement security enhancements under a
strict timeline, using methods approved by nationally recognized security experts. Companies also must
obtain independent verification to prove they have made required physical site security measures
identified during the SVA.
Prioritization and Assessment of Sites
Companies initially prioritize their facilities according to a four-tier system based on vulnerability and
then conduct SVAs at all facilities.
Implementation of Security Measures
After completing the SVA process, companies implement security enhancements to control or mitigate
identified risks to facility, cyber and value chain security, based on a set of security management
practices.

Protecting Information and Cyber-Security: Safeguarding information and process control
systems is a critical component of sound security management and an essential part of the ACC
and NACD Security Codes.
3
WARNING: This record contains Chemical-terrorism Vulnerability Information controlled by 6 CFR
27.400. Do not disclose to persons without a “need to know” in accordance with 6 CFR § 27.400(e).
Unauthorized release may result in civil penalties or other action. In any administrative or judicial
proceeding, this information shall be treated as classified information in accordance with 6 CFR 27.400(h)
and (i).
CHEMICAL-TERRORISM VULNERABILITY INFORMATION

Training, Drills, and Guidance: Emergency preparedness is a hallmark of both the Responsible
Care and Responsible Distribution initiatives. Training, drills, and guidance enhance security
awareness and capabilities across the business of chemistry.

Communications, Dialogue, and Information Exchange: The Security Codes emphasize
cooperation among chemical producers, distributors, customers, suppliers, and shippers and
establishing and maintaining a constructive, consistent dialogue with government agencies.

Response to Security Threats and Incidents: Companies evaluate, respond, report, and
communicate security threats as appropriate and have a process in place to respond to incidents
and take corrective action.

Continuous Improvement: ACC and NACD Security Codes include planning, establishing
goals and objectives, monitoring progress and performance, analyzing trends, and developing and
implementing corrective actions.

Independent Review: Facilities undergo independent audits by third-party individuals and
organizations to assure that necessary security enhancements are in place.
For more detailed information about ACC and NACD Security Codes, please refer to:
http://responsiblecare.americanchemistry.com/Responsible-Care-Program-Elements/Responsible-CareSecurity-Code and http://www.nacd.com/default/assets/File/nacd_securityflyer_september2013.pdf.
4
WARNING: This record contains Chemical-terrorism Vulnerability Information controlled by 6 CFR
27.400. Do not disclose to persons without a “need to know” in accordance with 6 CFR § 27.400(e).
Unauthorized release may result in civil penalties or other action. In any administrative or judicial
proceeding, this information shall be treated as classified information in accordance with 6 CFR 27.400(h)
and (i).
CHEMICAL-TERRORISM VULNERABILITY INFORMATION
1. Facility Identification and Terminology



CSAT Facility ID No.:
Facility Name:
General and Facility-Specific Acronyms and Terminology
CCTV
Closed-circuit television (security/process cameras)
CA
Critical Asset (see RBPS Guidance p. 16 for Critical Assets)
CDRA
CFATS-Designated Restricted Area (see RBPS Guidance p. 16 for Restricted
Area)
DCS
Distributed Control System
ICS
Industrial Control System
IDS
Intrusion Detection System
MOU
Memorandum of Understanding, typically with a local, regional or state law
enforcement or emergency response entity laying out the division of security and
response responsibilities between the facility and agency
PCS
Process Control System
ERP
Enterprise Resource Planning software – computer software for tracking, for
example, materials received, shipped and in inventory
SCADA
Supervisory Control and Data Acquisition
-- Other Facility Specific Acronyms --
2. Facility Operating and Security Organizations (RBPS 17)

Operating and Security Roles
o Owner/Operator or Designate
Name
Title
Telephones
Email
o Corporate Security Officer
Name
Title/responsibility
Telephones
Email
o Facility Security Officer
5
WARNING: This record contains Chemical-terrorism Vulnerability Information controlled by 6 CFR
27.400. Do not disclose to persons without a “need to know” in accordance with 6 CFR § 27.400(e).
Unauthorized release may result in civil penalties or other action. In any administrative or judicial
proceeding, this information shall be treated as classified information in accordance with 6 CFR 27.400(h)
and (i).
CHEMICAL-TERRORISM VULNERABILITY INFORMATION
Name
Title
Telephones
Email
o Alternate Facility Security Officer
Name
Title
Telephones
Email
o Cyber Security Officer
Name
Title/responsibility
Telephones
Email
o Facility Plant Manager
Name
Title/responsibility
Telephones
Email
3. Chemicals of Interest (COIs)/Security-Vulnerability Issue (All RBPSs)
The measures in the ASP apply to the following COIs and associated security issues as per
the Final Tier Letter:
Name
CAS#
Security Vulnerability Issue
Tier
Process
“Process” indicates the facility processes relevant to the COI: Rc=receive, M=manufacture,
Sh=ship, Sl=sell
4. CFATS Compliance Time Line
Date of last Top Screen submission
Month dd, yyyy
Date of last SVA submission
Month dd, yyyy
Date of Final Tier Letter
Month dd, yyyy
[Date of Compliance Assistance Visit
Month dd, yyyy]
[Date of Request for Redetermination
Month dd, yyyy]
6
WARNING: This record contains Chemical-terrorism Vulnerability Information controlled by 6 CFR
27.400. Do not disclose to persons without a “need to know” in accordance with 6 CFR § 27.400(e).
Unauthorized release may result in civil penalties or other action. In any administrative or judicial
proceeding, this information shall be treated as classified information in accordance with 6 CFR 27.400(h)
and (i).
CHEMICAL-TERRORISM VULNERABILITY INFORMATION
5. Facility Description (RBPS 1, 2)









Locale and total acreage
Buildings and storage areas (names, descriptions, square footage)
Facility-based, asset-based or hybrid protection approach
Security Guard personnel
CFATS-Designated Restricted Areas (CDRAs)
o Description
Critical Assets (CAs)
o Description
Special Considerations
o
Google Earth or similar aerial image
Facility diagram showing perimeter, access points, CDRA’s, Critical Assets, and the location
of COIs in relationship to these components
6. Perimeter Security (RBPS 1, 2, 3, 4, 6*, 7*)
The facility employs a process for limiting access to the facility and/or to CDRAs.








Security Barriers, Perimeter Fence and Top Guard (qualitative description)/ Perimeter
Structures.
Topographical or landscaping barriers
Vehicle barriers
Signage
Clear zones
Lighting
Perimeter security measures (i.e., personnel, intrusion detection, cameras, other to
include monitoring frequency)
CDRA security measures (i.e., personnel, intrusion detection, cameras, other to include
monitoring frequency)
7. Access Control (RBPS 1, 2, 3, 4, 5, 6*, 7*, 12)
The facility employs a process for controlling access to the facility and screening selected
persons and vehicles seeking access to CDRAs.

Gates/ portals/ access points
o Motor vehicle
o Rail
o Personnel
7
WARNING: This record contains Chemical-terrorism Vulnerability Information controlled by 6 CFR
27.400. Do not disclose to persons without a “need to know” in accordance with 6 CFR § 27.400(e).
Unauthorized release may result in civil penalties or other action. In any administrative or judicial
proceeding, this information shall be treated as classified information in accordance with 6 CFR 27.400(h)
and (i).
CHEMICAL-TERRORISM VULNERABILITY INFORMATION





o Emergency
Signage
Key/lock/combination and access credential control program
Facility Personnel (Employee/Contractor) Identification Verification and Access
Measures (see also Section 16 for Personnel Surety):
o Identification verification method (personnel based and/or electronic access control
system)
o Screening and Inspections
Visitor Identification and Processing
o Identification verification (personnel based and/or electronic access control system)
o Identification badges
o Sign-in sheets
o Screening and Inspections
o Escorting/ restricted zones
Vehicle Identification and Access Measures (inbound/outbound)
o Driver credentials (e.g., Photo ID, HazMat endorsement)
o Vehicle Identification
o Screening and inspection
o System controls (e.g., swipe card logging)
o Facility/CDRA parking restrictions, proximity to COI if theft/diversion (i.e., signage or
barriers)
8. Security Monitoring & Response (RBPS 1, 2, 4, 6*, 7*, 9, 11, 15, NOT RBPS 10)
See also Section 18 - Security Incident Identification, Reporting & Investigation
The facility monitors each CDRA and CA to detect unauthorized adversary actions
towards Final Tier Chemicals of Interest. The facility has a process in place to rapidly and
efficiently report security incidents to the appropriate entities (e.g., corporate management,
local law enforcement, local emergency responders, DHS).

Security Measures and Operations (Examples: intrusion detection systems (IDS),
CCTV, Personnel Coverage)
o Overview
 General
 Backup power
o Coverage (be brief)
 Perimeter
 Access points
 Storage area
 Loading / unloading area
8
WARNING: This record contains Chemical-terrorism Vulnerability Information controlled by 6 CFR
27.400. Do not disclose to persons without a “need to know” in accordance with 6 CFR § 27.400(e).
Unauthorized release may result in civil penalties or other action. In any administrative or judicial
proceeding, this information shall be treated as classified information in accordance with 6 CFR 27.400(h)
and (i).
CHEMICAL-TERRORISM VULNERABILITY INFORMATION
 CDRA’s / CA’s
o Monitoring
 Frequency of monitoring
 Who monitors
 Recording capability
 Notifications
o System descriptions
 Security Operations
o Security monitoring, response and reporting process
o External notifications
o Security Response – See also Section 18
o Proprietary or contracted response forces
o Coordination with local, state, or federal law enforcement
9. Emergency Response and Contingency Operations (RBPS 4, 7*, 9, 11)
The facility has a documented crisis management plan that details how the facility will
respond to an emergency and has demonstrated its ability to implement the plan through
drills and exercises.




Internal Emergency Notification Systems
o Back-up power
o Alarm systems and/or types of notifications
o Communication systems, primary and backup
Process Safety Mitigation (as it relates to CFATS and protection of COI) [guidance: this
may not be applicable to warehouse operations unless there are process systems in place]
Crisis Management Plan Overview
o Site emergency plans
o Corporate support
o List of responding police and fire agencies and contact information
o Does the facility share its plan with local law enforcement or responders?
o Community notification
Contingency Operations of Safety and Security Systems
10. Shipping and Receiving (RBPS 5, 6*, 7*, 9, 11)
The facility has vehicle identification and entry authorization, shipping, and control
procedures.

Shipping and Receiving Overview
o Materials received and shipped 9
WARNING: This record contains Chemical-terrorism Vulnerability Information controlled by 6 CFR
27.400. Do not disclose to persons without a “need to know” in accordance with 6 CFR § 27.400(e).
Unauthorized release may result in civil penalties or other action. In any administrative or judicial
proceeding, this information shall be treated as classified information in accordance with 6 CFR 27.400(h)
and (i).
CHEMICAL-TERRORISM VULNERABILITY INFORMATION


o Shipment verification (inbound and outbound)
o Carrier/driver identification
o Response to “Unknown Carrier”
Customer Qualification “Know your Customer” Program
Transportation (into, leaving and within facility)
o Carriers
o Equipment utilized
o On-site storage/staging/parking procedures
o Security coverage
11. Theft (RBPS 6)
(Responses related to RBPS 6 are only required for facilities tiered for theft/diversion)
Since the facility has not been tiered for theft/diversion, it does not specifically address
security measures for theft in this ASP.
OR
The facility has security measures that reduce the likelihood of theft or diversion of COI.


Scope
COI Storage Area
o Location within facility
o Construction/physical security
o Located in a CDRA?
o Access control and inspections (personnel and vehicles)
o Monitoring (including personnel, vehicle and rail access points)
o Inventory control (frequency of reconciliation)
12. Sabotage/Contamination (RBPS 7)
(Responses related to RBPS 7 are only required for facilities tiered for Sabotage/Contamination)
Since the facility has not been tiered for sabotage/contamination, it does not specifically
address security measures for sabotage/contamination in this ASP.
OR
The facility has security measures that reduce the likelihood of sabotage or contamination
of COI.


Scope
Sabotage Procedures and Tampering Prevention/Detection
10
WARNING: This record contains Chemical-terrorism Vulnerability Information controlled by 6 CFR
27.400. Do not disclose to persons without a “need to know” in accordance with 6 CFR § 27.400(e).
Unauthorized release may result in civil penalties or other action. In any administrative or judicial
proceeding, this information shall be treated as classified information in accordance with 6 CFR 27.400(h)
and (i).
CHEMICAL-TERRORISM VULNERABILITY INFORMATION

o Processes for detection of tampering
o Tamper evident packaging, containers, seals or locks
COI Storage Area
o Location within facility
o Construction/physical security
o Located in a CDRA?
o Access control and inspections (personnel and vehicles)
o Monitoring (including personnel, vehicle and rail access points)
o Inventory control (frequency of reconciliation)
13. Cyber Security (RBPS 8)
The facility has in place cyber security policies, procedures, and measures that result in
deterring cyber sabotage, including by preventing unauthorized onsite or remote access to
critical process controls, critical business systems, and other sensitive computerized
systems.



Components/systems affecting COIs
Cyber Security Policies
o Cyber Security Policies, Plans and Procedures - - The facility has documented and
distributed cyber security policies and/or procedures (including a change management
policy) commensurate with the facility’s current IT operating environment.
o Cyber Security Officials - The facility has designated one or more individuals to manage
cyber security who can demonstrate proficiency through a combination of training,
education, and/or experience sufficient to develop cyber security policies and procedures
and ensure compliance with all applicable industry and governmental cyber security
requirements.
Access Control
o Systems Boundaries - The facility has identified and documented systems boundaries
(i.e., the electronic perimeter) and has implemented security controls to limit access
across those boundaries.
o External Connections - The facility has established and documented a business
requirement for every external connection to/from its critical systems, and external
connections have controls that permit access only to authorized and authenticated users.
o Least Privilege - The facility practices the concept of least privilege.
o Remote Access and Rules of Behavior - The facility has defined allowable remote access
(e.g., Internet, VPN, modems) and rules of behavior. Those rules describe user
responsibilities and expected behavior with regard to information system usage, to
include remote access activities (e.g., appropriate Web sites, conduct of personal
business).
11
WARNING: This record contains Chemical-terrorism Vulnerability Information controlled by 6 CFR
27.400. Do not disclose to persons without a “need to know” in accordance with 6 CFR § 27.400(e).
Unauthorized release may result in civil penalties or other action. In any administrative or judicial
proceeding, this information shall be treated as classified information in accordance with 6 CFR 27.400(h)
and (i).
CHEMICAL-TERRORISM VULNERABILITY INFORMATION



o Password Management - The facility has documented and enforces authentication
methods (including password structures) for all administrative and user accounts.
Additionally, the facility changes all default passwords and ensures that default
passwords for new software, hardware, etc., are changed upon installation. In instances
where changing default passwords is not technically feasible (e.g., a control system with
a hard-coded password), the facility has implemented appropriate compensating security
controls (e.g., physical controls).
Personnel Security
o Criticality Sensitivity Review - the facility has reviewed and established security
requirements for positions that permit access to critical cyber systems.
o Unique Accounts - The facility has established and enforces unique accounts for each
individual user and administrator, has established security requirements for certain types
of accounts (e.g., administrative access to the system), and prohibits the sharing of
accounts. In instances where users function as a group (e.g., control system operators)
and user identification and authentication is role based, then appropriate compensating
security controls
(e.g., physical controls) have been implemented.
o Separation of Duties - IT management, systems administration, and IT security duties are
not performed by the same individual. In instances where this is not feasible, appropriate
compensating security controls (e.g., administrative controls, such as review and
oversight) have been implemented.
o Access Control Lists - The facility maintains access control lists, and ensures that
accounts with access to critical/sensitive information or processes are modified, deleted,
or de-activated in a timely manner for personnel who leave the company, complete a
transfer into a new role, or incur a change in responsibilities.
o Third-party Cyber Support - The facility ensures that service providers and other third
parties with responsibilities for cyber systems have appropriate personnel security
procedures/practices in place commensurate with the personnel surety requirements for
facility employees.
o Physical Access to Cyber Systems and Information Storage Media - The facility has rolebased physical access controls to restrict access to critical cyber systems and information
storage media.
Awareness and Training
o Cyber Security Training - The facility ensures that employees receive role-based cyber
security training on a regular annual basis that is applicable to their responsibilities and
within a reasonable period of time of obtaining access to the facility’s critical cyber
systems. (See Section 15)
Cyber Security Controls, Monitoring, Response, and Reporting
o Cyber Security Controls - The facility has implemented cyber security controls to prevent
malicious code from exploiting critical cyber systems, and it applies appropriate software
12
WARNING: This record contains Chemical-terrorism Vulnerability Information controlled by 6 CFR
27.400. Do not disclose to persons without a “need to know” in accordance with 6 CFR § 27.400(e).
Unauthorized release may result in civil penalties or other action. In any administrative or judicial
proceeding, this information shall be treated as classified information in accordance with 6 CFR 27.400(h)
and (i).
CHEMICAL-TERRORISM VULNERABILITY INFORMATION




security patches and updates to systems as soon as possible given critical operational and
testing requirements.
o Network Monitoring - The facility monitors networks for unauthorized access or the
introduction of malicious code and logs cyber security events, reviews the logs weekly,
and responds to alerts in a timely manner. Where logging of cyber security events on
their networks is not technically feasible (e.g., logging degrades system performance
beyond acceptable operational limits), appropriate compensating security controls (e.g.,
monitoring at the network boundary) are implemented.
o Incident Response - The facility has defined computer incident response capability for
cyber incidents.
o Incident Reporting - Significant cyber incidents are reported to senior management and to
the DHS’s US-CERT at www.us-cert.gov.
o Safety Instrumented Systems – The facility’s SISs have no unsecured remote access and
cannot be compromised through direct connections to the systems managing the
processes they monitor. OR The facility does not have Safety Instrumented Systems.
Disaster Recovery and Business Continuity
o Post-Incident Measures - The facility’s alternate facility operations and primary facility
recovery/reconstitution phases have cyber security measures (and temporary
compensatory measures as needed) consistent with those in place for the original
operational functions.
System Development and Acquisition
o Systems Life Cycle - The facility integrates cyber security into the system life cycle (i.e.,
design, procurement, installation, operation, and disposal). The facility has established
security requirements for all systems and networks before they are put into operation and
for all operational systems and networks throughout their life cycles.
Configuration Management
o Documenting Business Needs - The facility has documented a business need for all
networks, systems, applications, services, and external connections.
o Cyber Asset Identification – The facility has identified hardware, software, information,
and services and has disabled all unnecessary elements where technically feasible. The
facility also has identified and evaluated potential vulnerabilities and implemented
appropriate compensating security controls.
o Network/ System Architecture - The facility has an asset inventory of all critical IT
systems.
Audits
o Audits - The facility conducts periodic audits that measure compliance with the facility’s
cyber security policies, plans, and procedures and reports audit results to senior
management.
13
WARNING: This record contains Chemical-terrorism Vulnerability Information controlled by 6 CFR
27.400. Do not disclose to persons without a “need to know” in accordance with 6 CFR § 27.400(e).
Unauthorized release may result in civil penalties or other action. In any administrative or judicial
proceeding, this information shall be treated as classified information in accordance with 6 CFR 27.400(h)
and (i).
CHEMICAL-TERRORISM VULNERABILITY INFORMATION
14. Security Equipment Inspection, Testing & Preventive Maintenance (RBPS 10)
(This section addresses the RBPS referred to as “Monitoring,” which is separate and distinct
from the monitoring of security systems for the detection of adversary actions.)
The facility has a written plan to regularly inspect, test, calibrate and maintain security
systems.


Site Practices For Inspection, Testing And Preventive Maintenance Of Security
Equipment
o Overview of process for each security system (gates, cameras, DVR, alarms, IDS,
lighting)
 Testing, inspection and preventive maintenance for each
 Temporary compensatory measures during outages
 Prompt reporting of systems failures and outages to appropriate personnel, including
as needed the FSO/AFSO, to implement temporary compensatory measures
 Certification and activity logging of 3rd party maintenance providers
Record-keeping – See Section 19
15. Training (RBPS 8, 9, 11, 16)
The facility has a documented security awareness and training program for employees.




Initial and periodic security training is integrated into existing staff training processes,
such as those required for DOT HazMat security training.
Roles and responsibilities of CSO, FSO, AFSO and other designated CFATS roles are
communicated prior to or within ____ weeks of individuals assuming those roles.
Depending on roles, training focus areas may include
o Threat profile overview
o CFATS-designated restricted areas
o Security incident response
o Detection of suspicious activity and evidence of theft or tampering
o Cyber security awareness and processes
o Reporting of security incidents
o Investigation and documentation of security incidents
o DHS NTAS threat alert response
o Emergency Response and Crisis Management, including drills and exercises
o External agency interfaces
o Any specific threats communicated by the Assistant Secretary
Record-keeping – See Section 19
14
WARNING: This record contains Chemical-terrorism Vulnerability Information controlled by 6 CFR
27.400. Do not disclose to persons without a “need to know” in accordance with 6 CFR § 27.400(e).
Unauthorized release may result in civil penalties or other action. In any administrative or judicial
proceeding, this information shall be treated as classified information in accordance with 6 CFR 27.400(h)
and (i).
CHEMICAL-TERRORISM VULNERABILITY INFORMATION
16. Personnel Surety (RBPS 12)
The facility has processes, procedures and/or systems to perform appropriate background
checks on and ensure appropriate credentials for facility personnel, and, as appropriate,
for unescorted visitors with access to restricted areas or critical assets, including:
(i) Measures designed to verify and validate identity;
(ii) Measures designed to check criminal history;
(iii)Measures designed to verify and validate legal authorization to work; and
(iv) Measures designed to identify people with terrorist ties
All facility personnel and unescorted visitors with access to CDRA’s or critical assets must
have background checks performed.


Overview of Background Check program:
o Processes for new and existing employees, including frequency (annual, only upon hire,
etc.)
 Verification of social security number
 Criminal history check-(Federal, State or Local)
 USCIS Form I-9 check
 Additional checks deemed appropriate and necessary
o Disqualifying criteria
o Process for contractors requiring unescorted access to CDRA’s or critical assets
Screening for Terrorist Ties:
o The facility will have a documented process to comply with the CFATS requirements for
screening individuals against the Terrorist Screening Database (TSDB), within a
reasonable time after such requirements are established and communicated by DHS.
17. NTAS Threat Escalation, Specific Threats (RBPS 13, 14)
The facility has a documented process for rapidly implementing an increased security
posture in response to DHS NTAS threat alerts and other communications from the
Assistant Secretary, and has the ability to carry out that process in a timely manner.


Overview of threat escalation procedures
o Process for response to NTAS System threat level changes, with time line
Communications from DHS
o At such time as the Assistant Secretary may communicate threats, vulnerabilities or risks
specific to this facility, the facility owner/operator will review and update security
measures commensurate with the information provided.
15
WARNING: This record contains Chemical-terrorism Vulnerability Information controlled by 6 CFR
27.400. Do not disclose to persons without a “need to know” in accordance with 6 CFR § 27.400(e).
Unauthorized release may result in civil penalties or other action. In any administrative or judicial
proceeding, this information shall be treated as classified information in accordance with 6 CFR 27.400(h)
and (i).
CHEMICAL-TERRORISM VULNERABILITY INFORMATION
18. Security Incident Identification, Reporting & Investigation (RBPS 8, 15, 16)
See also Section 8 – Security Monitoring & Response
The facility has written procedures and related personnel training that identify the types of
incidents to report, the process for reporting these incidents, to whom these incidents
should be reported, and who is responsible for reporting such incidents. The facility may
investigate selected security incidents to identify and potentially implement lessons learned.


Examples of the types of incidents or events that may be qualified as reportable security
incidents
Overview of Security Incident Processes
o Internal and external reporting processes; external reporting may include local, state and
federal agencies as the situation warrants. Examples include:
 EMERGENCY -- 911
 Local law enforcement
 NICC – see http://www.dhs.gov/national-infrastructure-coordinating-center
 Email: NICC@hq.dhs.gov
 Phone: (202) 282-9201
 DHS US-CERT (for cyber incidents) – see https://www.us-cert.gov/
 Email: info@us-cert.gov
 Phone: (888) 282-0870
 FBI – see https://www.us-cert.gov/http://www.fbi.gov/report-threats-and-crime or
http://www.fbi.gov/contact-us/
 Regional fusion centers – see
https://nfcausa.org/default.aspx/MenuItemID/131/MenuGroup/Public+Home.htm
o See attached template for incident reporting, listing types of incidents, agencies to be
contacted for each type, and responsibility for reporting.
o Roles and Responsibilities
o Recordkeeping – see Section 19
o Investigation process, including lessons learned and how implemented
19. Recordkeeping (RBPS 18)
The facility develops and retains CFATS-related records as per 6 CFR 27.255, using
guidance provided in the Revised Procedural Manual for Safeguarding CVI (2008).

Minimum three year retention:
o Training - date and location of each training session, time of day and duration of each
session, a description of the training, the name and qualifications of the instructor, a list
16
WARNING: This record contains Chemical-terrorism Vulnerability Information controlled by 6 CFR
27.400. Do not disclose to persons without a “need to know” in accordance with 6 CFR § 27.400(e).
Unauthorized release may result in civil penalties or other action. In any administrative or judicial
proceeding, this information shall be treated as classified information in accordance with 6 CFR 27.400(h)
and (i).
CHEMICAL-TERRORISM VULNERABILITY INFORMATION

of attendees (including each attendee’s signature and a unique identifier), and the results
of any evaluation or testing.
o Drills and exercises - the date held, a description of the drill or exercise, a list of
participants, a list of equipment (other than personal equipment) tested or employed in
the exercise, the name(s) and qualifications of the exercise director, and any best
practices or lessons learned that may improve the Alternate Security Plan.
o Incidents and breaches of security - date and time of occurrence, location within the
facility, a description of the incident or breach, the identity of the individual(s) to whom
it was reported, and a description of the response.
o Maintenance, calibration, testing of security equipment - date and time, name and
qualifications of the technician(s) doing the work, and the specific security equipment
involved for each occurrence of maintenance, calibration, and testing.
o Security threats - date and time of occurrence, how the threat was communicated, who
received or identified the threat, a description of the threat, to whom it was reported, and
a description of the response.
o SSP audits (including those required under §225(e)) and SVA audits - a record of the
audit, results of the audit, names(s) of the person(s) who conducted the audit, and a letter
certified by the covered facility stating the date that the audit was conducted. (SSP is
taken to mean the combined SSP General Information/ASP as authorized.)
o Letters of authorization and approval - The facility retains all Letters of Authorization
and Approval from DHS and documentation identifying the results of audits and
inspections conducted pursuant to §27.250.
o Documentation of results of inspections and audits under 6 CFR 27.250 – a copy of the
inspection report as provided by DHS
Minimum six year retention
o Top Screens, Security Vulnerability Assessments, Alternate Security Program,
Alternative Security Plan, and related correspondence, including Requests for Review
and Requests for Redetermination
20. SSP/ASP Audits
The facility conducts annual audits of its compliance with the SSP/ASP and maintains
records as per Section 19 of this ASP as required under 6 CFR 27.225(a)(6)
21. Planned and Proposed Security Measures


Planned Security Measures
Proposed Security Measures
22. Attachments

Drawings/Diagrams
17
WARNING: This record contains Chemical-terrorism Vulnerability Information controlled by 6 CFR
27.400. Do not disclose to persons without a “need to know” in accordance with 6 CFR § 27.400(e).
Unauthorized release may result in civil penalties or other action. In any administrative or judicial
proceeding, this information shall be treated as classified information in accordance with 6 CFR 27.400(h)
and (i).
CHEMICAL-TERRORISM VULNERABILITY INFORMATION




o Overall facility diagram, showing location of COI in relationship to perimeter, access
points, and CDRAs.
o Other diagrams
Photos and Other Illustrations
o Photo “Album”
o Additional illustrations
Reference List of Policies, Practices, or Standard Operating Procedures
Templates (Record-keeping, Incident reporting)
Memoranda of Understanding (MOUs) with local law enforcement and other first
responders – see Section 1 – Facility Identification and Terminology
18
WARNING: This record contains Chemical-terrorism Vulnerability Information controlled by 6 CFR
27.400. Do not disclose to persons without a “need to know” in accordance with 6 CFR § 27.400(e).
Unauthorized release may result in civil penalties or other action. In any administrative or judicial
proceeding, this information shall be treated as classified information in accordance with 6 CFR 27.400(h)
and (i).