“How to craft a Site Security Plan?” “Is there a format for Site Security Plans per RBPS?”My twitter reply was:
“No SSP Format available from DHS yet. Draft RBPS did not address format issue. SSP will be part of CSAT on DHS Web”Background Information The big problem that DHS has had with the whole CFATS process is that they have been trying to craft a complicated security assessment scheme for a very diverse ‘industry’. When people think of the ‘chemical industry’ they think of classical petrochemical production facilities or big producers of commodity chemicals. In actual practice, just about any manufacturing facility could fall under the purview of the CFATS regulations as everybody uses ‘dangerous chemicals’. The genius of the DHS plan (and the individual that came up with the original concept for this scheme should be given the governmental equivalent of the Nobel) is a secure on-line tool for providing information to DHS, the Chemical Security Assessment Tool. To understand the importance of this tool you need to look no further than the initial Top Screen. DHS took data submissions from over 30,000 facilities across the country in a period of 60 days, crunched the numbers, and identified the 7,000 highest-risk chemical facilities out of that total. And they did it with less than 100 people in the program, and they did it in less than six months. It was an absolutely remarkable accomplishment. The problem is that it took DHS six months to design the Top Screen Tool and they are still refining it. The next tool in CSAT was the Security Vulnerability Assessment Tool. This tool took longer to design (it actually pre-dates CFATS), but again it is allowing DHS to take a great deal of security information from 7,000 facilities and permitting DHS to use that information to make a detailed assessment of the security situation at those facilities. The result (probably coming out in the next couple of months) will be letters to facilities identifying which security threats they actually have to address in their site security plans. Site Security Plan I am sure that DHS has been hard at work on the next CSAT tool that will be required, the Site Security Plan Tool. What form that tool will actually take is probably known only to a few personnel in DHS. I suspect that they will continue to try to use the fill in the blank or check the box format that they have successfully used for Top Screen and SVA. It will be a little more difficult on something as varied as the SSP, but I suspect that that will be the format. I would not be surprised to see the RBPS being utilized to format the data entry. Some of the 18 performance standards would be repeated for each COI identified in the SVA response letters. Others, like perimeter security, cyber security, and personnel surety would be in a separate section covering the entire facility. The big question is when can we expect to see the SSP and the final version of the RBPS Guidance Document? If DHS expects to receive and review SSPs and still have time for inspecting facilities implementation plans before October when CFATS expires, we will probably need to have the SSP format and RBPS guidance document available before Valentine’s Day.