6 CFR §27.225

1. (a)The Site Security Plan must meet the following standards:
   1. (1)Address each vulnerability identified in the facility's Security Vulnerability Assessment, and identify and describe the security measures to address each such vulnerability;
   2. (2)Identify and describe how security measures selected by the facility will address the applicable risk-based performance standards and potential modes of terrorist attack including, as applicable, vehicle-borne explosive devices, water-borne explosive devices, ground assault, or other modes or potential modes identified by the Department;
   3. (3)Identify and describe how security measures selected and utilized by the facility will meet or exceed each applicable performance standard for the appropriate risk-based tier for the facility; and
   4. (4)Specify other information the Executive Assistant Director deems necessary regarding chemical facility security.
2. (b)Except as provided in § 27.235, a covered facility must complete the Site Security Plan through the CSAT process, or through any other methodology or process identified or issued by the Executive Assistant Director.
3. (c)Covered facilities must submit a Site Security Plan to the Department in accordance with the schedule provided in § 27.210.
4. (d)Updates and revisions.
   1. (1)When a covered facility updates, revises, or otherwise alters its Security Vulnerability Assessment pursuant to § 27.215(d), the covered facility shall make corresponding changes to its Site Security Plan.
   2. (2)A covered facility must also update and revise its Site Security Plan in accordance with the schedule in § 27.210.
5. (e)A covered facility must conduct an annual audit of its compliance with its Site Security Plan.