Extensive and potentially expensive security obligations may be imposed on the private sector as a result of new risk-based Guidance that has been released for comment by the Department of Homeland Security (DHS). The deadline for filing comments is November 26, 2008.

The DHS issued the draft Guidance to articulate some of the security measures and processes that facilities may have to implement to be in compliance with the appropriate Risk-Based Performance Standards (RBPS). The RBPS are 18 riskbased standards that were established by the DHS in connection with the Chemical Facility Anti-Terrorism Standards (CFATS). All facilities subject to site security obligations under CFATS will have to develop Site Security Plans (SSPs) that comply with the RBPS.

While the DHS asserts that facilities have some discretion to tailor their SSPs to their specific circumstances and risk profile, many of the examples and metrics provided in the Guidance could result in significant costs for covered facilities. For example, many high-risk facilities may have to implement crash-related antivehicle barriers, and some may have to provide video surveillance around some or all of the perimeter. Certain facilities may have to employ security forces to meet these standards. The security measures needed for compliance will vary from facility to facility, however, and will require individualized analysis.

At this stage in the CFATS regulatory program, regulated facilities should check to ensure that they have submitted the necessary Security Vulnerability Assessment (SVA) by the DHS-established deadline. In addition, even if businesses choose not to comment on the proposed RBPS Guidance, they will need to consider whether their current planning satisfies the RBPS and should begin consideration of the required SSP.

Once DHS makes the final CFATS tiering designation for a regulated facility, the facility will need to analyze whether it satisfies the RBPS, given the facility’s risk profile. If it does not satisfy the RBPS, the facility will then have to determine what additional security measures must be adopted to comply with the standards. Failure to comply may lead to a civil penalty of up to $25,000 per day of the violation, or an order to cease operations, or both.

The request for comments, published in the Federal Register on October 27, is available at: http:// federalregister.gov/OFRUpload/ OFRData/2008-25596_PI.pdf. Text of the Guidance document is available at: http://www.dhs.gov/xprevprot/programs/ gc_1224871388487.shtm. tab=0001.