U.S. flag

An official website of the United States government, Department of Justice.

Method to Assess the Vulnerability of U.S. Chemical Facilities

NCJ Number
Date Published
November 2002
33 pages
This is a special report from the National Institute of Justice that presents an overview of a methodology designed to assess the security of chemical facilities in the United States.
The prototype methodology identifies and assesses the potential security threats, risks, and vulnerabilities present in chemical facilities across the country. The report also guides the chemical facility industry on how to make security improvements. The methodology is known as the Vulnerability Assessment Model (VAM), which is a systematic, risk-based approach. Risk is a function of the severity of consequences, the likelihood of adversary attack, and the likelihood of adversary success in causing an undesired event. There are 12 basic steps to the VAM approach: (1) screening for the need to employ VAM; (2) defining the project; (3) characterizing the facility; (4) assessing security levels; (5) assessing threats; (6) prioritizing threats; (7) preparing for a site analysis; (8) surveying the site; (9) analyzing the system’s effectiveness; (10) analyzing risks; (11) making recommendations for risk reduction; and (12) preparing the final report. This report presents each of the 12 steps in detail. Specific recommendations for reducing the risk level of a chemical facility include physical protection improvements, such as the addition of sensors on gates and doors, a security alarm control center, and hardened doors and locks. Other recommendations may include process control protection improvements, such as firewalls, virus protection, and computer audits of activities on the network. The use of this vulnerability assessment methodology is limited to preventing or hampering terrorist or chemical actions that could significantly affect the Nation or certain localities, including actions that could injure or kill facility employees and adjoining populations. The methodology assesses physical security at fixed sites; it does not address cyber or transportation security risks.

Date Published: November 1, 2002