The RBPS metrics and the SSP raise some issues that aren’t well appreciated.
RBPS metrics. The draft RBPS Guidance only reflects the DHS’ view on various performance standards without the force or effect of law. The enabling legislation forbids the DHS from specifying security measures. However, while specific security measures and practices identified in the guidance aren’t mandatory and may not reflect the preferred solution in every case, they certainly are examples of measures and practices that high-risk facilities may wish to strongly consider as part of the overall strategy to address the RBPS. The unspoken truth is that these measures likely mirror the DHS’ perception and, so, it’s prudent to believe that they will be seen by inspectors as the “text book” solution set.
The draft RBPS Guidance likely will undergo some changes but these most likely will be cosmetic. Therefore, facility owners/operators can use the draft document as a reasonable baseline for planning prior to submission of the SSP, until such time as the final guidance is disseminated officially.
The Site Security Plan. Once the tier determination letter has been issued, a regulated facility must complete another online submission to the DHS, the Chemical Security Assessment Tool (CSAT) SSP. This employs a serial check-in-the-box plus fill-in-the-blank format for data collection to capture the site security posture.
CFATS focuses on threats posed by terrorists. So, the SVA uses DHS-provided assumptions for specified scenarios to examine these higher-order threats. The SVA isn’t designed to evaluate threats posed by other adversaries such as disgruntled insiders, activists or criminals or to help facility managers optimize or justify expenditures of resources to address related security upgrades. Thus, owner/operators still will need to determine if the security countermeasures provided also effectively address lower-order threats and meet corporate security objectives. (Please take our online survey that appears at the bottom of this page to let us know whether your site is focusing its security efforts exclusively on meeting CFATS.)
From a facility perspective, in its current configuration the CSAT SSP isn’t well integrated with the other tools used for data submittal. Chemicals of interest (COI) assets identified by the facility in the CSAT SVA may not even have a one-to-one correlation with the asset-related questions posed in the CSAT SSP. In some cases, the SSP may not focus on the most salient security concerns — it may focus either too broadly, encompassing adjacent non-critical areas, or too narrowly, requiring protection of an asset with the highest concentration COI while overlooking adjacent assets with significant amounts of the same COI but slightly lower quantities.
The output generated after providing the DHS with the requested SSP data isn’t intended to be a working “security plan” at the facility level, nor does the CSAT SSP tie directly to the RBPS Guidance to facilitate gap analysis. So, facility owner/operators must conduct additional gap analysis efforts, based on the submittal to the DHS, pairing potential security shortfalls with applicable RBPS metrics for the facility tier, and develop a functional security plan (which we’ll refer to as a Facility Security Plan (FSP), to avoid confusion between it and the CSAT SSP submission).
Bridging the Gap
The scope of a FSP that operationalizes CSAT SSP data and RBPS requirements actually must be broader than most “industry standard” security plans because it also should include verifiable information about how the facility will address RBPS elements that historically are covered in documents separate from most plans. For a FSP to be truly effective, it must clearly spell out, for example, the response organization; roles and responsibilities beyond security into emergency preparedness; detailed concepts of operation that may need to be tied to the National Incident Management System; training that may need to be tied to the Homeland Security Exercise and Evaluation Program (HSEEP); as well as preventive maintenance schedules and contingency actions for critical security components and systems.