I had some problems keeping up with all of the new updates on the DHS FAQ page. On both the 15th and the 17th they posted questions at two different times. There is obviously some increased interest in the CSAT process (maybe due to SVA’s?), so rather than try to keep up with this on a daily basis (at least until things slow down), I’m going to do this weekly.
As of Friday there were eleven new FAQ entries (not counting the ones that I had already reviewed last week. They span a range of topics covering Registration, Top Screen, SVA, Site Security Plans and even enforcement.
- 1544: How does a facility register to complete at CSAT Top Screen?
- 1547: Is the fact that a facility is a covered facility under 6 CFR part 27 considered CVI?
- 1548: Is the preliminary tier determination of a covered facility by DHS considered CVI?
- 1549: May a covered facility disclose its preliminary tier level to another entity or individual (e.g. a trade association or another facility)?
- 1550: Does DHS need to be notified when a CVI Authorized User at a covered facility shares CVI (e.g., its preliminary tier determination) with another CVI Authorized User, who has a "need to know", within the private sector?
- 1551: Can individuals who are not USCitizens be CVI Authorized Users?
- 1552: Are chemicals in transit regulated under the Chemical Facility Anti-Terrorism Standards (CFATS)?
- 1553: Does DHS have the authority to enforce the use of Inherently Safer Technology (IST) at a facility?
- 1554: Does DHS have the authority to shut down a facility?
- 1555: I'm not sure how this whole CSAT thing works. Can you explain it in a few sentences?
- 1556: What web browser settings are required to access CSAT?
Chemical-terrorism Vulnerability Information
Almost half of the questions (5 out of 11) relate to CVI. This is not surprising since most people have little or now training or experience with document security measures. None of these questions (1547 through 1551) is complicated nor are the answers. The answers can be summarized as follows.
- That a facility is covered under CFATS (and thus a high-risk facility) is not CVI.
- The preliminary (and the final) tier level assignment is CVI.
- CVI data can be disclosed to a CVI Authorized User who has the need to know.
- DHS does not need to be notified when CVI is shared between Authorized Users with a need to know (to be safe keep a log of receipt and transmission of CVI)
- You do not have to be a US Citizen to be an Authorized User.
This is an interesting, if probably unrealistic question. Given that the Help Desk people lived up to their name a short concise summary of the whole shebang. Who says that government has to be obfuscating? Here is the complete reply:
- “A facility with Appendix A COI at or above the applicable STQ is required to use the CSAT system in order to complete and submit a Top-Screen. A facility covered by CFATS is also required to use the CSAT system, for example, to do the following:
- “Access the User Registration System
- “Identify, assign, and authorize the Authorizer, Submitter, and Preparer.
- “Send in the signed PDF form that is produced by the User Registration System to DHS.
- “Receive usernames and passwords from DHS.
- “Access the CSAT website to transfer accounts, if needed.
- “Access the CSAT website to add Reviewers, if needed.
- “Access the CSAT website to conduct the Top-Screen questionnaire, if needed.
- “Access the CSAT website to complete a Site Vulnerability Assessment, if required.”
Sounds painless, doesn’t it?