"High risk" chemical sites covered by the Chemical Facility Anti-Terrorism Standards (CFATS) of the U.S. Department of Homeland Security (DHS) now should be receiving letters giving the DHS’ final determination of the consequence tiers into which they fall. With that determination in hand, they must move to meet Site Security Plan (SSP) requirements of the particular tier. So, here we delve into how Risk-Based Performance Standards (RBPS) metrics drive the SSP requirements and how best to deal with the requirements. The DHS began evaluating public comments submitted on the draft Risk-Based Performance Standards Guidance in late November 2008 (see http://www.dhs.gov/xprevprot/programs/gc_1224871388487.shtm). This guidance was developed to assist high-risk chemical facilities in selecting and implementing protective measures and practices to meet the applicable RBPS depending on their final tier designation. The current 18 RBPS (19 counting the “any additional” caveat that allows the DHS to add future standards) cover securing and monitoring the site, controlling access, coordinating emergency response and crisis management, training, recordkeeping, and a dozen other related topic areas. Each has graduated levels of performance expectations (metrics) applicable to one or more of the four tiers. A site can use a variety of measures to satisfy any given RBPS, resulting in “layers of protection,” where the same measures could address more than one RBPS.
Rule Affects Many Facilities
CFATS required over 36,000 sites handling specific chemicals of interest to complete a Top Screen. From this group, the DHS tentatively designated nearly 7,000 as “high risk” chemical sites. Each of these had to submit a Security Vulnerability Assessment. The DHS then assigned the sites to one of four tiers, based on the risk posed. The final push of the CFATS rule — its essence — is to prove compliance to Risk-Based Performance Standards, to complete the SSP and to continually implement the plan.
The draft RBPS Guidance describes the general level of performance that facilities should strive to achieve under every RBPS in each of the four tiers. It also seeks to help facilities comply with CFATS by detailing the 18 RBPS as well as providing examples of various security measures and practices that facilities could consider for each RBPS at each tier. Managers of a high-risk facility have the option to choose and implement the suggested measures or other similar measures to meet the RBPS level of performance based on the site’s tier level.
Covered facilities have provided to DHS, via an online Security Vulnerability Assessment (SVA), with facility information, limited asset characterization, collateral blast impact estimates for various terrorist scenarios and related security data. The SVA process doesn’t provide facility managers with much viable “vulnerability” information upon which to base decisions for overall, cohesive security upgrades. Additionally, because the CFATS regulation specifically addresses terrorist threats, the singular focus on “high end” threats overlooks less malevolent but potentially more likely adversaries that also should be evaluated and addressed if the facility is to maintain a comprehensive security program.
The RBPS metrics and the SSP raise some issues that aren’t well appreciated.
RBPS metrics. The draft RBPS Guidance only reflects the DHS’ view on various performance standards without the force or effect of law. The enabling legislation forbids the DHS from specifying security measures. However, while specific security measures and practices identified in the guidance aren’t mandatory and may not reflect the preferred solution in every case, they certainly are examples of measures and practices that high-risk facilities may wish to strongly consider as part of the overall strategy to address the RBPS. The unspoken truth is that these measures likely mirror the DHS’ perception and, so, it’s prudent to believe that they will be seen by inspectors as the “text book” solution set.
The draft RBPS Guidance likely will undergo some changes but these most likely will be cosmetic. Therefore, facility owners/operators can use the draft document as a reasonable baseline for planning prior to submission of the SSP, until such time as the final guidance is disseminated officially.
The Site Security Plan. Once the tier determination letter has been issued, a regulated facility must complete another online submission to the DHS, the Chemical Security Assessment Tool (CSAT) SSP. This employs a serial check-in-the-box plus fill-in-the-blank format for data collection to capture the site security posture.
Consider the Whole Picture
CFATS focuses on threats posed by terrorists. So, the SVA uses DHS-provided assumptions for specified scenarios to examine these higher-order threats. The SVA isn’t designed to evaluate threats posed by other adversaries such as disgruntled insiders, activists or criminals or to help facility managers optimize or justify expenditures of resources to address related security upgrades. Thus, owner/operators still will need to determine if the security countermeasures provided also effectively address lower-order threats and meet corporate security objectives. (Please take our online survey that appears at the bottom of this page to let us know whether your site is focusing its security efforts exclusively on meeting CFATS.)
From a facility perspective, in its current configuration the CSAT SSP isn’t well integrated with the other tools used for data submittal. Chemicals of interest (COI) assets identified by the facility in the CSAT SVA may not even have a one-to-one correlation with the asset-related questions posed in the CSAT SSP. In some cases, the SSP may not focus on the most salient security concerns — it may focus either too broadly, encompassing adjacent non-critical areas, or too narrowly, requiring protection of an asset with the highest concentration COI while overlooking adjacent assets with significant amounts of the same COI but slightly lower quantities.
The output generated after providing the DHS with the requested SSP data isn’t intended to be a working “security plan” at the facility level, nor does the CSAT SSP tie directly to the RBPS Guidance to facilitate gap analysis. So, facility owner/operators must conduct additional gap analysis efforts, based on the submittal to the DHS, pairing potential security shortfalls with applicable RBPS metrics for the facility tier, and develop a functional security plan (which we’ll refer to as a Facility Security Plan (FSP), to avoid confusion between it and the CSAT SSP submission).
Bridging the Gap
The scope of a FSP that operationalizes CSAT SSP data and RBPS requirements actually must be broader than most “industry standard” security plans because it also should include verifiable information about how the facility will address RBPS elements that historically are covered in documents separate from most plans. For a FSP to be truly effective, it must clearly spell out, for example, the response organization; roles and responsibilities beyond security into emergency preparedness; detailed concepts of operation that may need to be tied to the National Incident Management System; training that may need to be tied to the Homeland Security Exercise and Evaluation Program (HSEEP); as well as preventive maintenance schedules and contingency actions for critical security components and systems.
Effectively managing CFATS requires a working security plan. Although not specifically needed for CFATS compliance, developing the FSP is perhaps the most-labor-intensive aspect of effectively addressing CFATS requirements. It potentially includes development of an overarching Corporate Security Plan (policy level) prior to the preparation of facility-specific security guidance (procedure level) documentation. Facility management may have reason for concern if current security plans at the corporate or facility level are less than adequate or nonexistent. Generating comprehensive documents of this type requires allocation of time and expertise that may be problematic, especially if management doesn’t want to commit extensive resources until the DHS’ final facility tier determination comes in — such a delay generally is unwarranted and unwise because the majority of sites can expect to remain in the same tier as initially assigned.
An organization should consider developing a template suitable for multiple similar facility SSP submissions. Regardless, facility management must accurately capture all of the disparate data necessary to complete the CSAT SSP. Don’t let the experience gleaned from use of the earlier CSAT submittals lull managers into waiting until the tier-determination letter arrives. While it may seem almost simple to conduct a check-the-box data submission, the CSAT SSP actually is the foundation document DHS management will use to assess the adequacy of security and DHS inspectors will base their compliance findings. The more complex the facility or the higher tier it’s assigned, the more lead time generally is required to collect the data and prepare the documentation necessary to obtain senior management approvals with regard to potential upgrades needed to meet applicable RBPS. Delaying such decision-making until the day before the deadline for submission of the CSAT SSP could result in pressured commitments of significant financial expenditure rather than advance preparation of well-crafted cost-effective strategies to determine the minimum capital outlay needed to meet the RBPS.
We suggest creating a separate annex that specifically addresses CFATS SSP issues and requirements as part of the integrated FSP, to avoid information spilldown that could occur when DHS inspectors examine elements of the plan applicable to CFATS. Always keep in mind that all elements provided to a DHS inspector conducting a plan review are potentially subject to evaluation, including those security elements not specifically covered by CFATS.
Because, as we’ve noted, relatively few sites are expected to have their tier designations changed for the final tiering, the sensible path forward is to begin to evaluate existing facility security countermeasures and compare them with the associated RBPS metrics for the initial tier-level determination for each facility, focusing on the higher-tier more-complex sites first. For each facility, management should identify the need for upgraded countermeasures consistent with the RBPS Guidance as is necessary and consider options before finalizing the upgrades. Also, it should determine if the existing measures or proposed upgrades will address the broader spectrum of adversaries of concern to the corporation beyond CFATS’ scope. The difficulty of this activity is compounded for organizations with multiple facilities, especially ones with disparate tier determinations.
Any significant shortfall between existing security countermeasures and applicable RBPS should prompt facility management to find solutions to meet the RBPS shortfall or generate rationales as to why existing systems suffice to provide the necessary security-in-depth. Such discussions obviously are most productive when management has the information at hand regarding the configuration of existing systems, especially if the facility has recently undergone an industry-standard facility risk assessment using one of the methodologies identified in the CFATS regulation. Such formal security-vulnerability-assessment processes can markedly improve management of security risks, providing significantly more information for management evaluation than relying on the printout from the CSAT SVA.
The actual preparation and submission of the CSAT SSP, although quite time consuming, is relatively straightforward, presuming the facility information has been gathered and evaluated in advance; otherwise the submittal process could be cumbersome, requiring multiple log-in sessions to the DHS server or potential assignment of field personnel to gather and forward information to the submitter while online. Neither of these “wait until the facility receives the letter from THE DHS” options are as efficient as collecting the information in advance and having the preparer and submitter fully up-to-speed before and during the submission process.
As with the Top Screen and the CSAT SVA, the submitter should make sure to generate a printed copy of the SSP submission before sending the electronic data to the DHS — once the information has been sent, there’s no way for the facility to directly access those data without going through a special request procedure.
The Path Forward
The clock is running for the CSAT SSP, subsequent plan approvals and related inspection audits by the DHS. This year very likely will see additional legislative action to produce a permanent (perhaps amended) CFATS rule. There’s clear evidence that lawmakers will press to strengthen, rather than weaken, requirements under CFATS. This very likely may include requiring consideration of the concept of inherent safety (http://epw.senate.gov/109th/Moore_Testimony.pdf) and removing current exemptions for facilities covered under other regulations.
We recommend performing a systematic assessment of the intent of CFATS against the actual practices and security measures of the covered facility. Conduct a careful analysis, then use a structured and uniform method adjusted by site-specific needs. In the final analysis, firms that develop a well-thought-out, well-supported, carefully documented, and well-implemented approach will likely achieve the intent the DHS desires.
David A. Moore is president and ceo of the AcuTech Consulting Group, Alexandria, Va. Harry M. Leith is a senior principal consultant and Lee Salamone is a senior consultant for the firm. E-mail them at email@example.com, firstname.lastname@example.org and email@example.com.