Defuse CFATS Challenges

“High risk” chemical sites covered by the Chemical Facility Anti-Terrorism Standards (CFATS) of the U.S. Department of Homeland Security (DHS) now should be receiving letters giving the DHS’ final determination of the consequence tiers into which they fall (see “Rule Affects Many Facilities” sidebar). With that determination in hand, they must move to meet Site Security Plan (SSP) requirements of the particular tier. So, here we delve into how Risk-Based Performance Standards (RBPS) metrics drive the SSP requirements and how best to deal with the requirements.

The DHS began evaluating public comments submitted on the draft Risk-Based Performance Standards Guidance in late November 2008 (see http://www.dhs.gov/xprevprot/programs/gc_1224871388487.shtm). This guidance was developed to assist high-risk chemical facilities in selecting and implementing protective measures and practices to meet the applicable RBPS depending on their final tier designation. The current 18 RBPS (19 counting the “any additional” caveat that allows the DHS to add future standards) cover securing and monitoring the site, controlling access, coordinating emergency response and crisis management, training, recordkeeping, and a dozen other related topic areas. Each has graduated levels of performance expectations (metrics) applicable to one or more of the four tiers. A site can use a variety of measures to satisfy any given RBPS, resulting in “layers of protection,” where the same measures could address more than one RBPS.

The draft RBPS Guidance describes the general level of performance that facilities should strive to achieve under every RBPS in each of the four tiers. It also seeks to help facilities comply with CFATS by detailing the 18 RBPS as well as providing examples of various security measures and practices that facilities could consider for each RBPS at each tier. Managers of a high-risk facility have the option to choose and implement the suggested measures or other similar measures to meet the RBPS level of performance based on the site’s tier level.

Covered facilities have provided to DHS, via an online Security Vulnerability Assessment (SVA), with facility information, limited asset characterization, collateral blast impact estimates for various terrorist scenarios and related security data. The SVA process doesn’t provide facility managers with much viable “vulnerability” information upon which to base decisions for overall, cohesive security upgrades. Additionally, because the CFATS regulation specifically addresses terrorist threats, the singular focus on “high end” threats overlooks less malevolent but potentially more likely adversaries that also should be evaluated and addressed if the facility is to maintain a comprehensive security program (see “Consider the Whole Picture” sidebar).

The Nuances
The RBPS metrics and the SSP raise some issues that aren’t well appreciated.

RBPS metrics. The draft RBPS Guidance only reflects the DHS’ view on various performance standards without the force or effect of law. The enabling legislation forbids the DHS from specifying security measures. However, while specific security measures and practices identified in the guidance aren’t mandatory and may not reflect the preferred solution in every case, they certainly are examples of measures and practices that high-risk facilities may wish to strongly consider as part of the overall strategy to address the RBPS. The unspoken truth is that these measures likely mirror the DHS’ perception and, so, it’s prudent to believe that they will be seen by inspectors as the “text book” solution set.

The draft RBPS Guidance likely will undergo some changes but these most likely will be cosmetic. Therefore, facility owners/operators can use the draft document as a reasonable baseline for planning prior to submission of the SSP, until such time as the final guidance is disseminated officially.

The Site Security Plan. Once the tier determination letter has been issued, a regulated facility must complete another online submission to the DHS, the Chemical Security Assessment Tool (CSAT) SSP. This employs a serial check-in-the-box plus fill-in-the-blank format for data collection to capture the site security posture.