An organization should consider developing a template suitable for multiple similar facility SSP submissions. Regardless, facility management must accurately capture all of the disparate data necessary to complete the CSAT SSP. Don’t let the experience gleaned from use of the earlier CSAT submittals lull managers into waiting until the tier-determination letter arrives. While it may seem almost simple to conduct a check-the-box data submission, the CSAT SSP actually is the foundation document DHS management will use to assess the adequacy of security and DHS inspectors will base their compliance findings. The more complex the facility or the higher tier it’s assigned, the more lead time generally is required to collect the data and prepare the documentation necessary to obtain senior management approvals with regard to potential upgrades needed to meet applicable RBPS. Delaying such decision-making until the day before the deadline for submission of the CSAT SSP could result in pressured commitments of significant financial expenditure rather than advance preparation of well-crafted cost-effective strategies to determine the minimum capital outlay needed to meet the RBPS.
We suggest creating a separate annex that specifically addresses CFATS SSP issues and requirements as part of the integrated FSP, to avoid information spilldown that could occur when DHS inspectors examine elements of the plan applicable to CFATS. Always keep in mind that all elements provided to a DHS inspector conducting a plan review are potentially subject to evaluation, including those security elements not specifically covered by CFATS.
Because, as we’ve noted, relatively few sites are expected to have their tier designations changed for the final tiering, the sensible path forward is to begin to evaluate existing facility security countermeasures and compare them with the associated RBPS metrics for the initial tier-level determination for each facility, focusing on the higher-tier more-complex sites first. For each facility, management should identify the need for upgraded countermeasures consistent with the RBPS Guidance as is necessary and consider options before finalizing the upgrades. Also, it should determine if the existing measures or proposed upgrades will address the broader spectrum of adversaries of concern to the corporation beyond CFATS’ scope. The difficulty of this activity is compounded for organizations with multiple facilities, especially ones with disparate tier determinations.
Any significant shortfall between existing security countermeasures and applicable RBPS should prompt facility management to find solutions to meet the RBPS shortfall or generate rationales as to why existing systems suffice to provide the necessary security-in-depth. Such discussions obviously are most productive when management has the information at hand regarding the configuration of existing systems, especially if the facility has recently undergone an industry-standard facility risk assessment using one of the methodologies identified in the CFATS regulation. Such formal security-vulnerability-assessment processes can markedly improve management of security risks, providing significantly more information for management evaluation than relying on the printout from the CSAT SVA.
The actual preparation and submission of the CSAT SSP, although quite time consuming, is relatively straightforward, presuming the facility information has been gathered and evaluated in advance; otherwise the submittal process could be cumbersome, requiring multiple log-in sessions to the DHS server or potential assignment of field personnel to gather and forward information to the submitter while online. Neither of these “wait until the facility receives the letter from THE DHS” options are as efficient as collecting the information in advance and having the preparer and submitter fully up-to-speed before and during the submission process.
As with the Top Screen and the CSAT SVA, the submitter should make sure to generate a printed copy of the SSP submission before sending the electronic data to the DHS — once the information has been sent, there’s no way for the facility to directly access those data without going through a special request procedure.
The Path Forward
The clock is running for the CSAT SSP, subsequent plan approvals and related inspection audits by the DHS. This year very likely will see additional legislative action to produce a permanent (perhaps amended) CFATS rule. There’s clear evidence that lawmakers will press to strengthen, rather than weaken, requirements under CFATS. This very likely may include requiring consideration of the concept of inherent safety (http://epw.senate.gov/109th/Moore_Testimony.pdf) and removing current exemptions for facilities covered under other regulations.
We recommend performing a systematic assessment of the intent of CFATS against the actual practices and security measures of the covered facility. Conduct a careful analysis, then use a structured and uniform method adjusted by site-specific needs. In the final analysis, firms that develop a well-thought-out, well-supported, carefully documented, and well-implemented approach will likely achieve the intent the DHS desires.
David A. Moore is president and ceo of the AcuTech Consulting Group, Alexandria, Va. Harry M. Leith is a senior principal consultant and Lee Salamone is a senior consultant for the firm. E-mail them at email@example.com, firstname.lastname@example.org and email@example.com.