An ASP also is acceptable for communicating the SSP to DHS. This alternative to online submission may make a lot more sense for some organizations and cost significantly less to implement. This concept is similar to that of the ASP that Tier Four sites could submit as part of the SVA process but applies to all facilities’ SSP requirement. We recommend that companies consider this approach, particularly if they have a number of regulated sites.
Organizations with multiple sites can prepare a model corporate ASP. This then can be amended to meet the unique requirements of each regulated site and submitted to meet the SSP requirement, creating additional efficiencies.
A security program that’s sophisticated enough to address terrorism demands good documentation — to maintain continuity as personnel changes occur at a facility. According to one chemical industry trade association, “to sustain a consistent and reliable security program over time, companies must document the key elements of their program. Consistency and reliability will translate into a more secure workplace and community.”
In addition, a CFATS security program requires substantial training for people with security duties, other employees and even contractors. Such programs also need close coordination with local law enforcement agencies.
Table 1 outlines the contents of a typical security plan. Whether a facility elects to prepare an operational security plan after filing online via CSAT or to use it as a time- and cost-savings initiative to submit as an ASP, the elements remain the same.
A properly prepared security plan satisfies a fundamental business need to address the full spectrum of threats, not just those from terrorism. In many cases, other risks (i.e., theft, fraud, workplace violence, product pilferage, etc.) represent more likely worst-case scenarios. Consequently, a comprehensive security plan may do more to improve an organization’s security posture and bottom line than a plan focused solely on terrorism. In some cases, the failure to properly predict and manage risks can lead to unforeseen liability for organizations.
Preparing the Plan
A baseline plan to meet operational and regulatory requirements always is easier to derive from a completed gap analysis for existing conditions. These conditions are based on specific scenarios the facility must address, which are determined by the chemical(s) on site. One way to prepare a gap analysis is to document existing conditions at the site against the metrics published in the DHS RBPS. That document can be found at www.dhs.gov/xprevprot/programs/gc_1224871388487.shtm.
Each of the four tiers requires a gap analysis tool. It could be expanded to cover all performance metrics in a facility’s assigned tier as listed in the October 2008 draft RBPS document (pp. 27–127). This document may undergo some minor revisions; a summary of the changes between that draft and the final version will be posted at www.securingpeople.com.
A key decision that must be made when developing the strategy for an operational security plan is whether the physical security defense plan will emphasize the facility’s perimeter or will take a more asset-based approach. An asset-based approach may require a greater investment in barriers and technical measures inside the facility where critical assets are housed. However, depending on the site’s size and concentration of critical assets, it may be far more cost-effective to channel investments to specific areas of the facility (see sidebar).
Involving local law enforcement agencies is an important aspect of gap analysis and security planning. In a survey of more than a dozen regulated facilities in rural areas of the U.S., none of the responding Sheriff’s Departments was aware of the requirement for CVI training. As a result, nobody in those agencies has a CVI certificate that would have allowed the site and its consultant to discuss regulatory requirements or share detailed security-planning information for the betterment of the security program.
A review of the National Sheriff’s Association Web site reveals no information on CFATS or CVI. This suggests that additional communication is needed between DHS and the local law enforcement community. Until then, sites must address the need for CVI certification on a case-by-case basis. Most agencies encountered to date have been willing to explore and undergo the online DHS training. Keep in mind, however, that it’s illegal for sites to involve external authorities in detailed planning until CVI certification can be proven.
An additional challenge for small- to mid-sized companies is to determine exactly how all of this work to implement the regulation will get done. Typically, this size organization assigns security to non-security professionals with other responsibilities — we call them facility security officers; they may never have received training in security management. A closely related regulation, the Marine Transportation Security Act, stipulates the skills and competencies required of a facility security officer. My firm now is training CFATS facility security officers to close the gap left open by the lack of specific requirements in the regulation.
The Clock Is Ticking
Regulated chemical facilities now must make a SSP commitment to DHS. Corporate management may want to consider developing an operational security plan to serve as a substitute for the online filing of a CSAT SSP. At a minimum, we recommend having a documented security plan in place by the time a DHS inspector arrives for the on-site inspection. The ASP approach can help facility and security managers achieve this goal.
Frank Pisciotta is president of Business Protection Specialists, Canandaigua, N.Y., and is a Certified Security Consultant. E-mail him at email@example.com.