There is a good review of the CFATS process on SecurityInfoWatch.com. Written by Richard A. Michau, a VP at Allied Barton Security Services, it provides a good summary of action DHS has taken to date and what is planned for the future. My only complaint is that he overlooks the current exemptions for water treatment facilities, regulated nuclear facilities and DOD controlled facilities while mentioning the exemption for regulated maritime facilities.
He notes that the originally planned date for notifications for facilities to complete security vulnerability assessments (SVA) was April. The currently expected date he reports is now July. This would fit well with recent congressional testimony by Robert Stephans (see: "House Subcommittee Hearing on HR 5533 and HR 5577") who noted that the Phase I facility SVA filings were currently underway. This July date would allow time for DHS to revise some internal procedures to correct problems found during the Phase I filings.
Risk-Based Performance Standards Guide
Michau reports that DHS is planning on publishing a guide to their risk-based performance standards in August. I reported on the development of this guide in an earlier blog (see: "Security Forces at Chemical Facilities – Mission Definition") but did not have a publication date. This guide will certainly be helpful for facilities trying to develop their site security plans.
IT Security Issue
Michau tosses off an interesting comment that requires some amplification. Towards the end of the article he notes that site security plans "may also have to include the physical location of required records and IT security requirements, if they are housed at a different location, such as your corporate headquarters."
Facilities that have SCADA or other electronic systems identified as critical security resources in their SVA will have to document protections for those systems in their site security plans. With many corporate computer systems becoming more interconnected, protections for off-site systems will have to be documented in the site security plan.
CFATS Staff Expansion
Michau also provides some new details for the expansion of the DHS staff supporting the implementation of the CFATS regulations. He reports that DHS plans to establish 10 field offices with 160 personnel supporting the CFATS effort. All of this based on a 26% budget increase for the effort in 2009.
All in all this is a good review of the CFATS implementation to date. One would not expect any less from a VP at one of the larger security companies in the United States. For my review of CFATS implementation see my blog "Vulnerability Assessments are Underway".