DHS CSAT FAQ Page Update – 10-17-08

There were no new FAQ addressed this week on the DHS CSAT FAQ page, nor were there any reviews or changes made to the answers for existing questions. That is certainly not to say that the Help Desk has been idle. They have added a new feature to the FAQ page; an on-line Help Request Form. Until now questions were only able to be submitted by phone or email. The actual form can only be reached after having successfully completed a CAPTCHA Challenge. This is done to prevent the Help Desk from being swamped with a barrage of automated questions in a denial of service attack on the site. I think that this is probably over-kill, but at least someone is taking cyber attacks seriously. Identification Information The rather expansive heading portion of this form is intimidating. Reportedly there is a ‘requirement’ for the Help Desk to enter the requested information into some sort of database before they can provide an answer. Presumably, they requested the same information from personnel calling in with questions. The ‘for tracking purposes’ explanation provided for requiring this information is a bit disingenuous. I would suspect that, while the questions are certainly being tracked, the facility information is being provided to ensure that questions about high-risk chemical facilities are being handled in such a way to ensure that no chemical-terrorism vulnerability information (CVI) about that facility is even tangentially released to someone without the required need to know. CVI Submissions There is nothing on site that provides guidance on the inclusion of CVI information in any of the questions submitted via this form. The CVI Procedure Manual allows for submitting CVI on a secure server like that used for submission of Top Screens or SVAs. It is not clear that this form is on such a secure server. The instructions for the form state that “At successful completion of this form, an e-mail containing the submitted information is sent to the CSAT Helpdesk and a copy to the e-mail address you provide on the form.” That would certainly seem to indicate that the form should be treated as email. In that case the CVI Procedure Manual calls for sending the CVI material as an encrypted attachment or a password protected attachment (with the password sent via a separate message). Since I see no provisions for attaching files, it is unlikely that CVI should be sent via this form.