Draft SSP Review – Asset Security Measures

This is another in a continuing series of blogs describing the draft SSP Template that was provided by a reader of this blog, not DHS. Just a quick reminder, this means that there might be differences between this template and the one that DHS will shortly be opening on the CSAT web site. The previous blog in the series was: Draft SSP Review – General Facility Information Draft SSP Review – Facility Operations Draft SSP Review – Facility Security Measures In the last blog I looked at the Facility Security Measures section of the Draft SSP Template. The next, largest, and potentially the most controversial portion of the template deals with questions supporting each of the 18 Risk-Based Performance Standards (RBPS). I am going to skip that portion for now for a look at the final section in the template; the Asset Security Measures. We will look at the specific RBPS in later blogs. Asset Security All of the discussion about security measures in the SSP so far has dealt with the security for the entire high-risk facility. In many instances it may be appropriate to provide the highest level of security protection to just a few areas of the facility where COI are stored, produced, loaded or unloaded; where that COI is most vulnerable. This targeted security is known as ‘asset security’ or critical asset protection’. Not all assets covered in this section will be specifically associated with a unique COI. The best example of this would be a control room; because of the access to control, safety and perhaps security systems available in this location this location could be expected to be a prime target in a terrorist attack on a chemical manufacturing facility. Asset Description The first thing that must be done in this section of the template is to identify the assets for which there will be asset specific security measures reported. It is not necessary to identify all assets associated with COI, just those that have unique security measures not previously identified in the Facility Security Measures section. Each asset will be given a unique name (34 character limit) and a description that includes a listing of the primary function of the asset. Once the asset is identified there will be a unique sub-section of the template produced for each of the listed assets. For each asset there will be another series of questions that relate to the COI present at the facility to determine if those COI are ‘associated’ with the asset. The term ‘associated’ does not necessarily mean present; a control room for example would be associated with any COI that can be controlled from that location. RBPS Identification The final portion of the asset identification process is the determination of what risk-based performance standards would apply to that particular asset. There are only four RBPS that could be identified for this section of the template: #2 – Secure Site Assets; #3 – Screening and Access Controls; #5 – Shipping, Receiving and Storage; and #6 – Theft and Diversion. Only those RBPS for which there will be an identifiable security measure need to be selected for a particular asset. As a practical matter, submitters might want to initially select all four RBPS for each asset described. Subsequently, if no questions are answered affirmatively for that particular asset in that RBPS, the facility can always de-select that RPBS. RBPS Questions Each of the four RBPS sections will have similar questions to those found in the Facility Security Measures section of the SSP Template. At the start of each RBPS in this section, the submitter will be given the option of pre-populating the section with the same answers provided in the main section of the SSP. This would be useful if the same type security measures used for the facility in general are duplicated at the asset. For example, if the asset is surrounded by the same type of fencing that forms the facility perimeter. But, an asset that does not have a barrier around it does not get ‘credit’ for the facility barrier in this section. This section is used only to describe security measures that are specifically protecting the described asset.