The U.S. government has established its first-ever security mandates for “high risk chemical facilities.” The Chemical Facility Anti-Terrorism Standards are designed to identify high risk facilities through a series of steps involving both the chemical facilities and the U.S. Department of Homeland Security (DHS). The lynchpin for facilities to be included in the process is whether they manufacture, use, store or distribute certain chemicals above a specified quantity. These chemical and quantities are defined in Appendix A of the standards.
A company must prepare compliance materials if DHS deems that all aspects of the regulation apply to a facility. In this article, we offer some guidance to help you prepare such materials and respond to DHS in the event your facility must conduct a security vulnerability assessment.
Organizations that manufacture, use, store or distribute chemicals contained in Appendix A were required to register and complete a Top Screen process under Public Law 109- 295 Section 550. This step had to be finished within 60 days after the November 20, 2007 release of Appendix A.
The Chemical Security Assessment Tool (CSAT) is DHS’s system for collecting and analyzing key data from chemical facilities that have the potential to fall under the new regulations. CSAT will be used to support the preliminary and final decisions about placing a facility into one of four risk-based tiers.
Companies were required to register for CSAT and use it to provide information to DHS regarding facility background, chemicals on site and the risks associated with those chemicals. This submission can be made only via the Internet. There are very stringent requirements on controlling information associated with the CSAT process. Prior to getting access to the CSAT system, all persons who are involved must be precertified by DHS. To gain certification persons must demonstrate an understanding of the importance of safeguarding information related to chemical security vulnerability. To register and get the appropriate employees trained, visit the DHS web site.
Figure 1. Risk analysis must take into account both the probability of an event and the severity of its consequences.
After completing your Top Screen process online, a screen informing the user that the facility “may be regulated” or “not regulated” will appear. Subsequently, DHS will notify you by mail to confirm whether or not you will be regulated under CFATS and, if so, to what risk tier you will be assigned.
Security vulnerability assessment
If, following the Top Screen process, DHS informs your company that a facility will be regulated, you must conduct a Security Vulnerability Assessment (SVA). You will have 90 days after DHS classifies the site to complete and submit this assessment. The mission of the vulnerability assessment will be to reduce the risk of:
- toxic chemical release;
- theft and diversion of chemicals that could be used as precursors for explosives or weapons of mass destruction;
- sabotage or contamination of chemicals; and
- impact on critical government activities and the national economy.
The SVA clearly is a collaborative process whose success depends upon the quality of the team that’s assembled to conduct the study. The team typically should consist of representatives from site security, risk management, operations, engineering, safety, environmental protection, regulatory compliance, logistics/distribution, information technology and other areas, as required. To have a valid outcome, it’s important to include a security professional on your team.
Many organizations will need to look outside for the security expertise necessary to complete the SVA. Hire only an independent consultant. Consider, for example, members of the International Association of Professional Security Consultants (IAPSC), as they must adhere to a strict code of ethics and are truly full-time independent consultants, not part-time consultants or ones tied to the sale of products or other services like hardware salesmen, guard contractors or private detectives who may profess to do it all. Your consultant should have experience working in the chemical industry and with the common methodologies for conducting SVAs, such as that from the Center for Chemical Process Safety. Look for credentials like Certified Protection Professional (CPP) or Physical Security Professional (PSP) from ASIS International or Certified Security Consultant (CSC) from the International Association of Professional Security Consultants. A key component of SVAs is actually understanding where adversaries can exploit weaknesses in a facility’s security — certifications indicate that a consultant can offer sound opinions.
Preparing your SVA
DHS’s identification of the chemicals of interest and the risks associated with them will provide the focus for your SVA. Doing it doesn’t have to be an onerous task. Selecting the right people and proper pre-planning can make the process operate very smoothly (see sidebar). To make the most of your assessment, it’s important to understand each of the required steps and their associated best practices:
Asset characterization. This involves the identification of critical assets (done in the Top Screen), evaluation of existing countermeasures and quantification of the severity of consequences. The severity of the consequences and asset attractiveness are used to screen the facility assets into those that require only general security countermeasures versus those that require more specific actions; protection levels must be spelled out in your site security plan. As soon as possible identify the scenarios that will be addressed in your SVA (i.e., release, theft/diversion, etc.) because the remainder of the SVA will focus on the risk associated with these scenarios.