Tuesday, July 21, 2009
DHS CSAT FAQ Page Update – 07-17-09
Last week DHS only provided two new FAQ questions/answers on their extensive Frequently Asked Questions web page. Those questions were: 1392: When would I have the ability to transfer my account or reassign my user role? 1640: When will I be notified if I have to complete a SVA? Transfer User Account The answer to this question briefly explains that user accounts can only be changed after the user name and password have been issued. This is done to protect the facility from attempts to hijack the facility accounts to gain access to the facility security information stored on-line. The registration system is an open access system, so no changes are allowed in that system. There is a separate, secured access system, designed to handle change requests. That is the User Change Request System. SVA Notification I am not sure that the answer provided for this question actually addresses the desired information. It does do a good job of describing what information the SVA notification provides, but it does not address the timing of that notification. Part of the problem DHS has in answering questions like this is that there are a number of factors that go into the timing of the review of the submitted Top Screen, and then making the initial determination that a facility is a high-risk facility and determining the preliminary tier ranking. The complexity of the Top Screen will certainly bear on the length of time it will take to make the appropriate determinations. A simple Top Screen with a single COI in a well defined area will take much less time to reach a determination than a Top Screen with multiple COI in multiple risk categories stored in a variety of conditions and areas within the facility. While the initial evaluation is done by computer, each Top Screen submission is also reviewed by a real live person. This leads to the another variable in determining how much time it takes to evaluate a Top Screen. Currently the limited numbers of personnel available for enforcement activities in the CFATS program are tied up with a large number of initial Site Security Plans. Since these are Tier 1 and Tier 2 facilities currently undergoing SSP submission, they would generally be expected to have a higher priority than new Top Screens. The good news is that while the facility is waiting for their SVA notification letters, they can go ahead and start collecting data for the SVA submission. If they are subsequently notified that they are a high-risk facility they will have a head start on preparing their submission. If they are told that they are not a high-risk facility (and thus not covered by the CFATS regulations) the information they have gathered will help them to make their own assessment of their site security status, valuable information for any facility. Finally, the time spent waiting for DHS notification does not count towards the deadlines that the facility must meet in complying with their responsibilities under CFATS.