The draft RBPS Guidance likely will undergo some changes but these most likely will be cosmetic. Therefore, facility owners/operators can use the draft document as a reasonable baseline for planning prior to submission of the SSP, until such time as the final guidance is disseminated officially.
The Site Security Plan. Once the tier determination letter has been issued, a regulated facility must complete another online submission to the DHS, the Chemical Security Assessment Tool (CSAT) SSP. This employs a serial check-in-the-box plus fill-in-the-blank format for data collection to capture the site security posture.
Consider the Whole Picture
CFATS focuses on threats posed by terrorists. So, the SVA uses DHS-provided assumptions for specified scenarios to examine these higher-order threats. The SVA isn’t designed to evaluate threats posed by other adversaries such as disgruntled insiders, activists or criminals or to help facility managers optimize or justify expenditures of resources to address related security upgrades. Thus, owner/operators still will need to determine if the security countermeasures provided also effectively address lower-order threats and meet corporate security objectives. (Please take our online survey that appears at the bottom of this page to let us know whether your site is focusing its security efforts exclusively on meeting CFATS.)
From a facility perspective, in its current configuration the CSAT SSP isn’t well integrated with the other tools used for data submittal. Chemicals of interest (COI) assets identified by the facility in the CSAT SVA may not even have a one-to-one correlation with the asset-related questions posed in the CSAT SSP. In some cases, the SSP may not focus on the most salient security concerns — it may focus either too broadly, encompassing adjacent non-critical areas, or too narrowly, requiring protection of an asset with the highest concentration COI while overlooking adjacent assets with significant amounts of the same COI but slightly lower quantities.
The output generated after providing the DHS with the requested SSP data isn’t intended to be a working “security plan” at the facility level, nor does the CSAT SSP tie directly to the RBPS Guidance to facilitate gap analysis. So, facility owner/operators must conduct additional gap analysis efforts, based on the submittal to the DHS, pairing potential security shortfalls with applicable RBPS metrics for the facility tier, and develop a functional security plan (which we’ll refer to as a Facility Security Plan (FSP), to avoid confusion between it and the CSAT SSP submission).
Bridging the Gap
The scope of a FSP that operationalizes CSAT SSP data and RBPS requirements actually must be broader than most “industry standard” security plans because it also should include verifiable information about how the facility will address RBPS elements that historically are covered in documents separate from most plans. For a FSP to be truly effective, it must clearly spell out, for example, the response organization; roles and responsibilities beyond security into emergency preparedness; detailed concepts of operation that may need to be tied to the National Incident Management System; training that may need to be tied to the Homeland Security Exercise and Evaluation Program (HSEEP); as well as preventive maintenance schedules and contingency actions for critical security components and systems.
Effectively managing CFATS requires a working security plan. Although not specifically needed for CFATS compliance, developing the FSP is perhaps the most-labor-intensive aspect of effectively addressing CFATS requirements. It potentially includes development of an overarching Corporate Security Plan (policy level) prior to the preparation of facility-specific security guidance (procedure level) documentation. Facility management may have reason for concern if current security plans at the corporate or facility level are less than adequate or nonexistent. Generating comprehensive documents of this type requires allocation of time and expertise that may be problematic, especially if management doesn’t want to commit extensive resources until the DHS’ final facility tier determination comes in — such a delay generally is unwarranted and unwise because the majority of sites can expect to remain in the same tier as initially assigned.