SSP Submission – Facility Data

This is the second in a series of blog posting on the recently released Site Security Plan Instructions Manual. The first blog in this series was: Preparing for SSP Submission Regular readers of this blog will remember that I did a series of blogs earlier this year on ‘draft’ copy of the site security plan template that I had received. As part of the this series I will refer back to those blogs to correct any potentially confusing or misleading information that I provided. Today I will start with the General Facility and Facility Operations portions of the SSP and I will point out any differences between my earlier blogs and the actual instructions. General Facility Information As I noted in my earlier blog, most of this information will be pre-populated in the SSP Tool from information provided in the Top Screen and SVA submissions. The facility needs to review all of the pre-populated data to ensure that it is correct and complete. If an item of information is missing, enter the data. If the information (other than latitude and longitude) is incorrect, press the “Update Facility Information” button and correct the data. Latitude and Longitude information can only be corrected by contacting the DHS CSAT Help Desk. Earlier I described the Facility Final Notification Letter (FFNL) information that is included in this section. The Facility is responsible to ensure that the information in that letter is properly reflected in this section of the SSP. If any information from the FFNL is missing or incorrect in this section, the Facility must contact the Help Desk before proceeding with entering any further data in the SSP tool. This section also asks about the COI found at the facility. There will be a question for each of the seven security/vulnerability combinations asking if there are issues related to COI in that category. The Facility should answer yes if there are any COI listed in that security/vulnerability category listed in the FFNL. Additionally, the facility can answer yes if there are COI not included in the FFNL that they want DHS to consider in their SSP submission. See my earlier blog for an explanation why a facility might want to do this. For each positive answer in this section a list of COI from that category will appear with ‘Yes’/‘No’ check boxes to allow the facility to select the covered COI. The COI listed in the FFNL should already be selected ‘Yes’ as part of the pre-populated data. Once each of the selected security/vulnerability combinations is marked as completed a summary page of the identified security/vulnerability combinations and selected COI will appear for the Facility to review. Facility Operations In my blog on the Facility Operations section of the SSP I noted that there would be pull down menus with a variety of selections to pull from, but the Draft Template that I had did not provide the list of potential answers. It appears that the assumptions that I made in that discussion are born out by the SSP Questions manual (pgs 25-7) descriptions of the answers available. For example the SSP Questions provides the following responses to the question about facility type:

“Agricultural Chemicals Distribution, Agricultural Chemicals Manufacturing, Agricultural Products Processing, Chemical Distribution, Chemical Manufacturing, College/University, Food Distribution, Food Processing, Health Care, Mineral Extraction/Processing, Natural Gas Storage/Transfer, Petroleum Products Distribution, Petroleum Refining, Pharmaceutical Manufacturing, Power Generation, Propane Distribution, Research, Waste Management, Other”

The discussion in the earlier blog about the on- and off-site emergency response capability appears to have addressed that section pretty well. I have found an interesting error in the SSP Instructions in this area. Section 3.4.3 is inaccurately titled. The printed title is “Emergency Management Team [emphasis added] (EMT) Information”; the discussion makes it clear that it should refer to “Emergency Medical Technicians”. While I did note in the earlier blog that this section of the SSP Tool allows the facility to upload an Alternative Security Program (not ‘plan’ like I called it in that blog) I failed to note that there were five questions that the facility had to answer about the ASP before it can be uploaded. An affirmative answer to each of these five questions will automatically transfer the facility to the APS Upload Page. A negative response to any of the questions will require a facility to answer yes to the following question before being given access to that upload page:

“The ASP does not address all pertinent factors in 6 CFR 27. Do you wish to continue to upload an ASP in lieu of the CSAT SSP?”

The reason for this question is that if an ASP does not adequately address the requirements of 6 CFR §27.235 there is very little chance that the SSP will be approved. As I noted in my earlier blog, with the history of problems that facilities had with getting an ASP approved for Tier 4 Security Vulnerability Assessments, I would bet that very few, if any, ASP’s will be approved on the first submission. If a facility selects to upload an ASP in lieu of the SSP, then that facility will be done with their initial submission through the SSP tool one that upload is complete.