During the 2011 Chemical Sector Security Summit, I also had the chance to attend the “CVI – Do’s and Don’ts” session presented by Matthew Bettridge, Deputy Branch Chief for Policy & Programs Branch, Infrastructure Security Compliance Division, Department of Homeland Security (DHS). Mr. Bettridge first provided an overview of the Chemical-Terrorism Vulnerability Information (CVI) program and some clarification about the scope of CVI. He also offered examples of what is, and what is not CVI. He included a reference to the following scenario and explanation for a Chemical Facility Anti-Terrorism Standards (CFATS) final Tier 1 facility:
What is not CVI - The facility’s existing security measures (e.g., a video surveillance CCTV system) that is mentioned in the SSP. The contracts, purchase, purchase orders for the video surveillance /CCTV system, and any verbal or written references to the system outside of the SSP document are not CVI.
What is CVI - Explicit statements from the SSP, or derivative products from the SSP, are CVI.
Mr. Bettridge then announced that DHS will soon be releasing a new, revised CVI Procedural Manual as well as deploying a CVI Account Management Tool which will allow users to re-issue CVI Authorized User Certificates, update personal information as it changes, and take CVI training. He also discussed the proper procedures and protocols for disclosing CVI to local, state, and federal public officials. He noted that in the event there is a disagreement between the facility and officials regarding the disclosure in general or method of disclosure, facilities are encouraged to refer the matter to DHS.
Finally, Mr. Bettridge spoke about the President’s recent Executive Order on Controlled Unclassified Information (CUI), which will standardize the way unclassified information requiring protection, such as CVI, is handled among agencies. The National Archives and Records Administration, the agency charged with approving CUI categories, has recognized the success of the CVI program and has indicated that it will approve CVI as a category of CUI.
Remember that it’s important for facilities subject to CFATS to ensure that its employees, consultants, and contractors who have access to CVI take CVI Authorized User Training to become certified CVI Authorized Users.
I’ll continue to look out for any new CVI-related developments and will certainly provide an update as soon as DHS releases the revised CVI Procedural Manual or unveils the new CVI Account Management Tool.
~ Ryan Loughin
Copyright © ADT Security Services, Inc. 2011 - All Rights Reserved. Legal Disclaimer - Some of the individuals posting to this site, including the moderators, work for ADT Security Services, Inc. Opinions expressed here and in any corresponding comments are the personal opinions of the original authors, not of ADT Security Services, Inc. The content is provided for informational purposes only and is not meant to be an endorsement or representation by ADT Security Services, Inc. or any other party. This site is available to the public. No information you consider confidential should be posted to this site. By posting you agree to be solely responsible for the content of all information you contribute, link to, or otherwise upload to the Website and release ADT Security Services, Inc. from any liability related to your use of the Website. You also grant to ADT Security Services, Inc. a worldwide, perpetual, irrevocable, royalty-free and fully-paid, transferable (including rights to sublicense) right to exercise all copyright, publicity, and moral rights with respect to any original content you provide. The comments are moderated. Comments will appear as soon as they are approved by the moderator.