"Does the facility have controls and procedures that restrict access to storage of potentially dangerous chemicals (including Theft COI), allowing access only to authorized individuals? "Are transportation access portals controlled and is access limited to authorized individuals?"Unknown Carrier or Driver Questions There is a duplicate question that leads off a section of questions about procedures for how the facility will deal with an unknown carrier or driver showing up to deliver or pick-up a load. Each of the questions requires a ‘Yes’/‘No’ response. At first glance these seem to be standard questions, but there are two questions that are very similar in the way they are worded. They deal with procedures that the facility has for where truck/driver will be held while they are waiting until they are “properly vetted and approved”. One question uses the term ‘staging’ and the other uses ‘sequestering’. While there are no explanations for the differences I would assume that ‘staging’ means a holding location outside of the security perimeter while staging means an area within the security perimeter. The final question in this section is oddly worded which makes it difficult to determine how to answer the question. It reads:
Procedure for… “Notifying and contacting local law enforcement depending on the identity of the driver and identity of the load.”Presumably DHS is asking about a procedure for dealing with a driver/load that cannot be identified or vetted. This would mean that there is a serious suspicion that the driver is up to no good. Unless the facility security team has arrest authority (which would be unusual unless they are off-duty law enforcement personnel) the local law enforcement would have to be contacted to affect an arrest. Training Questions This is the first time that we have seen questions related to training in the SSP. It seems more than a little unusual since there is a complete RBPS (RPBS #11) dedicated to this subject. Additionally there appears to be a minor misprint in the Questions manual. The manual shows a list of training frequency questions followed by a typical question that would lead such a list of question. That question is:
“Does the facility require individuals granted unescorted accesses to the facility to attend security awareness training at the facility?”Usually, such a qualifying question, if answered ‘No’ would remove the frequency questions from the SSP tool for that facility. Finding this question at the end of the section kind of defeats that purpose. These security awareness training questions ask how often the described training is conducted with responses of: monthly, quarterly, semi-annually, annually, biennially, triennially, never. All but the last question in the group asks about ‘recognizing and detecting’ a variety of threats, ranging from ‘explosive materials’ to ‘characteristics and behavioral patterns of persons who are likely to threaten security’. The last question in the section is the ‘odd man out’. Instead of ‘recognizing and detecting’ it asks about “general techniques used to circumvent security measures?” While it is slightly different from the other questions in the group it does provide some recognition of the fact that potential adversaries will be attempting to subvert or by-pass facility security procedures. Background Investigation Questions There is another set of questions that seems to be slightly out of place in the RBPS. They deal with background investigation; an area that will certainly be dealt with in more detail in RBPS #12, Personnel Surety. This final section in RBPS #6 has three questions requiring a ‘Yes’/‘No’ response. Adequacy of Procedures As noted about there are a number of questions in this RBPS section that ask if the facility has a procedure to deal with ‘X’. The answers to such question are invariably ‘Yes’/‘No’, but anyone that has ever worked with regulatory agencies knows that there may be along way between having a procedure and having an ‘acceptable’ procedure. At this point DHS in the CFATS process DHS is not asking to see a copy of the procedure mentioned in the question; it is simply asking if the facility has a procedure. When the first inspector shows up after the SSP is approved to verify that the facility is actually implementing the approved SSP, the inspector will want to see copies of each of the procedures asked about in the SSP questions. Whether the facility has separate procedures for each of the security areas identified or one massive procedure is probably of little consequence. DHS is not going to have the manpower or time available to review each of the procedures in detail. With the wide variety of types and sizes of facilities covered by the CFATS regulations each of these procedures will be unique and it would be way too time consuming to do an in depth review either at the facility or back at the ‘office’. What I would not be surprised to see is DHS developing at some time in the future would be ‘procedure’ tools under CFATS to help them do a more detailed evaluation of procedures. They would be the same type answer the questions and fill in the blank type tools that have become so familiar to CSAT users.