The U.S. government has established its first-ever security mandates for “high risk chemical facilities” (www.ChemicalProcessing.com/articles/2007/095.html). The Chemical Facility Anti-Terrorism Standards are designed to identify high risk facilities through a series of steps involving both the chemical facilities and the U.S. Department of Homeland Security (DHS). The lynchpin for facilities to be included in the process is whether they manufacture, use, store or distribute certain chemicals above a specified quantity. These chemical and quantities are defined in Appendix A of the standards.
A company must prepare compliance materials if DHS deems that all aspects of the regulation apply to a facility. In this article, we offer some guidance to help you prepare such materials and respond to DHS in the event your facility must conduct a security vulnerability assessment.
Organizations that manufacture, use, store or distribute chemicals contained in Appendix A were required to register and complete a Top Screen process under Public Law 109- 295 Section 550. This step had to be finished within 60 days after the November 20, 2007 release of Appendix A.
The Chemical Security Assessment Tool (CSAT) is DHS’s system for collecting and analyzing key data from chemical facilities that have the potential to fall under the new regulations. CSAT will be used to support the preliminary and final decisions about placing a facility into one of four risk-based tiers.
Companies were required to register for CSAT and use it to provide information to DHS regarding facility background, chemicals on site and the risks associated with those chemicals. This submission can be made only via the Internet (https://csat-registration.dhs.gov/). There are very stringent requirements on controlling information associated with the CSAT process. Prior to getting access to the CSAT system, all persons who are involved must be pre-certified by DHS. To gain certification persons must demonstrate an understanding of the importance of safeguarding information related to chemical security vulnerability. To register and get the appropriate employees trained, visit the DHS web site at https://csat.dhs.gov/cvi_training/.
After completing your Top Screen process online, a screen informing the user that the facility “may be regulated” or “not regulated” will appear. Subsequently, DHS will notify you by mail to confirm whether or not you will be regulated under CFATS and, if so, to what risk tier you will be assigned.
Security vulnerability assessment
If, following the Top Screen process, DHS informs your company that a facility will be regulated, you must conduct a Security Vulnerability Assessment (SVA). You will have 90 days after DHS classifies the site to complete and submit this assessment. The mission of the vulnerability assessment will be to reduce the risk of:
• toxic chemical release;
• theft and diversion of chemicals that could be used as precursors for explosives or weapons of mass destruction;
• sabotage or contamination of chemicals; and
• impact on critical government activities and the national economy.
The SVA clearly is a collaborative process whose success depends upon the quality of the team that’s assembled to conduct the study. The team typically should consist of representatives from site security, risk management, operations, engineering, safety, environmental protection, regulatory compliance, logistics/distribution, information technology and other areas, as required. To have a valid outcome, it’s important to include a security professional on your team.
Many organizations will need to look outside for the security expertise necessary to complete the SVA. Hire only an independent consultant. Consider, for example, members of the International Association of Professional Security Consultants (IAPSC), as they must adhere to a strict code of ethics and are truly full-time independent consultants, not part-time consultants or ones tied to the sale of products or other services like hardware salesmen, guard contractors or private detectives who may profess to do it all. Your consultant should have experience working in the chemical industry and with the common methodologies for conducting SVAs, such as that from the Center for Chemical Process Safety. Look for credentials like Certified Protection Professional (CPP) or Physical Security Professional (PSP) from ASIS International or Certified Security Consultant (CSC) from the International Association of Professional Security Consultants. A key component of SVAs is actually understanding where adversaries can exploit weaknesses in a facility’s security — certifications indicate that a consultant can offer sound opinions.