The U. S. Department of Homeland Security (DHS) now has assigned sites covered by the Chemical Facilities Anti-Terrorism Standards (CFATS) into one of four risk-based tiers (for more on CFATS, see “Defuse CFATS Challenges." The tier assignment will drive specific security standards that facilities must implement to comply with the regulation.
Within 120 days of receiving its tier notification letter, a site must communicate the elements of its site security plan (SSP) to DHS for administrative approval. This must outline how it will meet the 18 risk-based performance standards (RBPS).
CFATS compliance likely will incur a substantial cost. Based on nearly 20 preliminary engineering studies, estimates have ranged from $500,000 to $2 million per site.
Using an alternative security program (ASP) for the SSP offers several potential benefits — including an initial saving of staff time and thousands of dollars. In addition, an ASP may provide an overall better security posture against the entire spectrum of threats, not just those from terrorism. So, here, we’ll:
• look at possible advantages of preparing an ASP;
• provide a model outline for an operational SSP that can be used in addition to, or as a substitute for filing, an online SSP via the DHS Chemical Security Assessment Tool (CSAT) software;
• illustrate key decisions for determining an appropriate strategy for meeting the RBPS;
• point up the importance of involving law enforcement in the gap analysis process as part of the site’s security planning process; and
• discuss a potential challenge for small- to mid-size companies.
The regulation stipulates three basic requirements for a SSP:
1. addressing weaknesses identified in the facility’s security vulnerability assessment (SVA) and identifying and describing security measures to handle each;
2. specifying how selected security measures deal with applicable RBPS and potential modes of terrorist attacks; and
3. delineating how measures will meet or exceed each applicable performance standard for the facility’s assigned tier.
A site can provide information on its SSP to DHS in one of two ways.
The first is via the DHS’s Chemical Security Assessment Tool (CSAT) software, similar to that used by most sites to file their SVA. Filing the SSP online involves hundreds of pages of questions and answers. This process is time-consuming and requires a great deal of upfront data collection before sitting down at the computer. Another significant downside is that there won’t be any output from the CSAT software that subsequently can serve as an operational security plan. Such a plan is necessary to guide security and other employees as they meet the security commitments on a day-to-day basis. So, the site still will have the task of developing this plan.
Additionally, the online SSP requests a substantial amount of detail about physical security such as the types of access control measures, door hardware, camera types and lighting levels in various parts of the site. Sites likely will need a qualified security professional to help collect these data and prepare them for online submission. That person either can be an in-house or external resource — but ensure that any outside person you use is Chemical-terrorism Vulnerability Information (CVI) certified before any information exchange takes place. It’s not difficult to achieve CVI certification; it can be done online.