Wednesday, April 15, 2009

Draft SSP Review – Facility Operations

This is another in a continuing series of blogs describing the draft SSP Template that was provided by a reader of this blog, not DHS. Just a quick reminder, this means that there might be differences between this template and the one that DHS will shortly be opening on the CSAT web site. The previous blog in the series was: Draft SSP Review – General Facility Information The next portion of the Draft SSP Template will be the general facility information portion of the tool. This section of the template will require the facility management to contact a variety of local government agencies to get data. If the facility has not established a working relationship with these agencies by this point in the facility security preparations, now is a good time to do so. Facility Description There are some new questions about the facility that have not been previously required in the CFATS process. The first that the facility will see is the ‘facility type’ this provides a pull down menu with a description of various types of chemical facilities. The copy of the draft template that I have does not show the pull down options, but this should be a fairly straight forward selection process. If there is no appropriate selection there is a fill in the blank option available. The next ‘question’ appears to be awkwardly worded; it reads: “Provide the Office of Emergency Management (OEM) authority under which the facility operates.” From the example provided in my copy of the template, “County”, it is apparent that the question refers to the lowest level of ‘Emergency Management Agency/Administration’ that services the facility area. The selection is made from another pull down menu with the standard fill-in the blank ‘other’ option. The other two questions in this sub-section deal with the ‘locale’ of the facility and the ‘type construction’. The responses are chosen from the inevitable pull down menu with the standard ‘other’ option. Facility Contact Information This sub-section requests the name and contact information for four separate ‘Security Officer’ listings; Facility Security Officer, Assistant Facility Security Officer, Corporate Security Officer, and Cyber Security Officer. I am certain that the written instructions will make abundantly clear that there must be at least two separate names provided, one for the Facility Security Officer and the Assistant. Larger facilities and multiple high-risk facility companies will almost certainly have separate names for the other two positions. The last question in this subsection is something of a step-child, put here for the lack of a better heading. It asks: “Does the facility implement security plans required or recommended by the following agencies?” It then provides ‘Yes/No’ check-offs for TSA, DOT, Coast Guard, Customs and the ever present ‘Other’. If a facility is unsure about this question it probably does not apply. On-Site Response Capabilities This next section asks a number of questions about the on-site emergency response capability for the facility. Most of the requested responses are ‘Yes/No’ check-offs with one fill-in the blank (name of facilities that share the response capability) and one fill-in the number (number of members of the on-site Emergency Management Team). The only ‘odd’ question is the one about ‘Special Response Capabilities’. What constitutes an SRC is not clear until the next page where there is a list of ‘Capabilities’ that DHS is interested in. Some items on the list, field medical and toxic release response for example, are fairly common, but there are some exotic response capabilities listed. ‘Aviation’, ‘Hostage Rescue’ and ‘Snipers’ are three that are sure to raise some eye brows. Responses are simple ‘Yes/No’ check-offs. Emergency Response Information This section starts off with two easy questions about facility shelter-in-place capability and the presence of a ‘community notification system’. Both questions require a ‘Yes/No’ check-off. The remaining questions are going to require extensive conversations with off-site emergency response agencies. While there is an added ‘Unknown’ check-off option for many of these questions, I don’t believe that DHS will (nor should) accept that answer for too many questions. The emergency response agencies that the Draft SSP Template addresses are local police, fire department, emergency medical technicians (on-site and off-site), and mutual assistance groups. The questions deal with the name of the agency, number of full-time personnel, response times and ‘Special Response Capabilities’. The SRC section provides the same list of capabilities as found in the on-site response section. Special Response Capabilities This sub-section of the Draft SSP Template should probably been called ‘Other Response Agencies’, that would have been less confusing. It looks for information on three other agencies that might be counted on to respond to an incident at the facility. These agencies are State Police, US EPA, and State EPA. Most of the questions are the same as for the previous response agency section. One new addition is the question that asks: “Is there a formal, written agreement with the responding agency?” Facility Personnel The number and type of employees working at the facility are addressed in this sub-section. The questions ask for numbers of ‘Employees’ and ‘Security Officers’ in the categories of full-time, part-time, contractors, and others. There are also questions about the shift times and number of employees on each shift. COI – Chemical Operations The types of operations involving the facilities listed COI are covered in this sub-section. Those operations are shipping, selling, receiving, and manufacturing. Each of the COI listed in the General Facility Information section of the template are pre-populated into this sub-section. There are ‘Yes/No’ check-offs for each of the COI to determine if the operations apply to that COI. There is also a question about what industries the facility supplies. Finally, for each COI that has been indicated as being shipped or received is listed in a separate section asking about the mode of transportation used for shipping and receiving. Uploads The final two sub-sections in the Facility Operations section of the SSP deal with optional data uploads to the system. The first is the ASP upload. All high-risk facilities have the option of filing an Alternative Security Plan in lieu of completing the remainder of the SSP as long as it meets the requirements of 6 CFR § 27.225. Given the problems that facilities had with using ASP’s in lieu of filling out the DHS SVA, I doubt that many ASP’s will be approved on the first go round. The second upload sub-section is for ‘Facility Schematics’. This allows facilities to upload aerial photographs, plot plans, drawings and system schematics to DHS. The simplest facilities probably will not need to do this, but any facility that handles multiple COI, or COI in multiple locations should probably plan on providing documents to make it easier for DHS to understand the locations of COI storage and other key locations. A personal recommendation; use a good security software program to scan your files for bugs, viruses, worms, etc before uploading them to the DHS system. I am very sure that DHS is going to scan these upload documents, but it looks pretty tacky if you try to upload an infected file to the DHS system.

No comments:

/* Use this with templates/template-twocol.html */