(a) Initial assessment. If the Executive Assistant Director determines that a chemical facility is high risk, the facility must complete a Security Vulnerability Assessment. A Security Vulnerability Assessment shall include:
(1) Asset Characterization, which includes the identification and characterization of potential critical assets; identification of hazards and consequences of concern for the facility, its surroundings, its identified critical asset(s), and its supporting infrastructure; and identification of existing layers of protection;
(2) Threat Assessment, which includes a description of possible internal threats, external threats, and internally-assisted threats;
(3) Security Vulnerability Analysis, which includes the identification of potential security vulnerabilities and the identification of existing countermeasures and their level of effectiveness in both reducing identified vulnerabilities and in meeting the applicable risk-based performance standards;
(4) Risk Assessment, including a determination of the relative degree of risk to the facility in terms of the expected effect on each critical asset and the likelihood of a success of an attack; and
(5) Countermeasures Analysis, including strategies that reduce the probability of a successful attack or reduce the probable degree of success, strategies that enhance the degree of risk reduction, the reliability and maintainability of the options, the capabilities and effectiveness of mitigation options, and the feasibility of the options.
(b) Except as provided in § 27.235, a covered facility must complete the Security Vulnerability Assessment through the CSAT process, or through any other methodology or process identified or issued by the Executive Assistant Director.
(c) Covered facilities must submit a Security Vulnerability Assessment to the Department in accordance with the schedule provided in § 27.210.
(d) Updates and revisions. (1) A covered facility must update and revise its Security Vulnerability Assessment in accordance with the schedule provided in § 27.210.
(2) Notwithstanding paragraph (d)(1) of this section, a covered facility must update, revise, or otherwise alter its Security Vulnerability Assessment to account for new or differing modes of potential terrorist attack or for other security-related reasons, if requested by the Executive Assistant Director.
[72 FR 17729, Apr. 9, 2007, as amended at 86 FR 41891, Aug. 4, 2021]