Effectively managing CFATS requires a working security plan. Although not specifically needed for CFATS compliance, developing the FSP is perhaps the most-labor-intensive aspect of effectively addressing CFATS requirements. It potentially includes development of an overarching Corporate Security Plan (policy level) prior to the preparation of facility-specific security guidance (procedure level) documentation. Facility management may have reason for concern if current security plans at the corporate or facility level are less than adequate or nonexistent. Generating comprehensive documents of this type requires allocation of time and expertise that may be problematic, especially if management doesn’t want to commit extensive resources until the DHS’ final facility tier determination comes in — such a delay generally is unwarranted and unwise because the majority of sites can expect to remain in the same tier as initially assigned.
An organization should consider developing a template suitable for multiple similar facility SSP submissions. Regardless, facility management must accurately capture all of the disparate data necessary to complete the CSAT SSP. Don’t let the experience gleaned from use of the earlier CSAT submittals lull managers into waiting until the tier-determination letter arrives. While it may seem almost simple to conduct a check-the-box data submission, the CSAT SSP actually is the foundation document DHS management will use to assess the adequacy of security and DHS inspectors will base their compliance findings. The more complex the facility or the higher tier it’s assigned, the more lead time generally is required to collect the data and prepare the documentation necessary to obtain senior management approvals with regard to potential upgrades needed to meet applicable RBPS. Delaying such decision-making until the day before the deadline for submission of the CSAT SSP could result in pressured commitments of significant financial expenditure rather than advance preparation of well-crafted cost-effective strategies to determine the minimum capital outlay needed to meet the RBPS.
We suggest creating a separate annex that specifically addresses CFATS SSP issues and requirements as part of the integrated FSP, to avoid information spilldown that could occur when DHS inspectors examine elements of the plan applicable to CFATS. Always keep in mind that all elements provided to a DHS inspector conducting a plan review are potentially subject to evaluation, including those security elements not specifically covered by CFATS.
Because, as we’ve noted, relatively few sites are expected to have their tier designations changed for the final tiering, the sensible path forward is to begin to evaluate existing facility security countermeasures and compare them with the associated RBPS metrics for the initial tier-level determination for each facility, focusing on the higher-tier more-complex sites first. For each facility, management should identify the need for upgraded countermeasures consistent with the RBPS Guidance as is necessary and consider options before finalizing the upgrades. Also, it should determine if the existing measures or proposed upgrades will address the broader spectrum of adversaries of concern to the corporation beyond CFATS’ scope. The difficulty of this activity is compounded for organizations with multiple facilities, especially ones with disparate tier determinations.
Any significant shortfall between existing security countermeasures and applicable RBPS should prompt facility management to find solutions to meet the RBPS shortfall or generate rationales as to why existing systems suffice to provide the necessary security-in-depth. Such discussions obviously are most productive when management has the information at hand regarding the configuration of existing systems, especially if the facility has recently undergone an industry-standard facility risk assessment using one of the methodologies identified in the CFATS regulation. Such formal security-vulnerability-assessment processes can markedly improve management of security risks, providing significantly more information for management evaluation than relying on the printout from the CSAT SVA.