Tuesday, July 14, 2009

SSP Submission – RBPS #6 Theft and Diversion

This is another in a series of blog posting on the recently released Site Security Plan Instructions Manual and Questions Manual. The other blogs in this series are: Preparing for SSP Submission SSP Submission – Facility Data SSP Submission – Facility Security Measures SSP Submission – RBPS #1 Restrict Area Perimeter SSP Submission – RBPS #2 Secure Site Assets SSP Submission – RBPS #3 Screen and Monitor SSP Submission – RBPS #4 Deter Detect and Delay SSP Submission – RBPS #5 Shipping Receiving and Storage This posting looks at RBPS #6, Theft and Diversion. This section of the SSP looks at equipment, processes and procedures that help to reduce the risk of theft or unauthorized diversion of ‘dangerous chemicals’ including Theft COI. The Guidance document provides the same definition for ‘dangerous chemicals’ in this RBPS as was used for ‘hazardous chemicals’ in RBPS #5. There is no reason given for the use of two different terms for the same chemicals. This section of the SSP provides similar questions for both facility wide security measures and asset specific security measures. As we noted in the other sections of the SSP with similar provisions, a security measure is not reported in the asset specific questions if the security measure applies to (and was reported as) facility wide security, unless there are separate systems for the specific asset or there are substantial differences in operations of the measure at the specific asset. More Duplicate Questions This section has an even larger number of previously asked questions than we have seen in the earlier RBPS sections. Part of this may just be because there are more questions to draw from. Once again, there are no instructions in either the Questions manual or the Instructions manual about how the system deals with repeat questions. I suspect that in many cases the answers will pre-populate forward. There are two odd duplicate questions that have been significantly reworded from their earlier incarnations. I guess that means that they aren’t truly duplicates. I certainly have no idea why these two questions were picked for rewriting and reissuing. Both questions require ‘Yes’/‘No’ check-offs. The questions are:
"Does the facility have controls and procedures that restrict access to storage of potentially dangerous chemicals (including Theft COI), allowing access only to authorized individuals? "Are transportation access portals controlled and is access limited to authorized individuals?"
Unknown Carrier or Driver Questions There is a duplicate question that leads off a section of questions about procedures for how the facility will deal with an unknown carrier or driver showing up to deliver or pick-up a load. Each of the questions requires a ‘Yes’/‘No’ response. At first glance these seem to be standard questions, but there are two questions that are very similar in the way they are worded. They deal with procedures that the facility has for where truck/driver will be held while they are waiting until they are “properly vetted and approved”. One question uses the term ‘staging’ and the other uses ‘sequestering’. While there are no explanations for the differences I would assume that ‘staging’ means a holding location outside of the security perimeter while staging means an area within the security perimeter. The final question in this section is oddly worded which makes it difficult to determine how to answer the question. It reads:
Procedure for… “Notifying and contacting local law enforcement depending on the identity of the driver and identity of the load.”
Presumably DHS is asking about a procedure for dealing with a driver/load that cannot be identified or vetted. This would mean that there is a serious suspicion that the driver is up to no good. Unless the facility security team has arrest authority (which would be unusual unless they are off-duty law enforcement personnel) the local law enforcement would have to be contacted to affect an arrest. Training Questions This is the first time that we have seen questions related to training in the SSP. It seems more than a little unusual since there is a complete RBPS (RPBS #11) dedicated to this subject. Additionally there appears to be a minor misprint in the Questions manual. The manual shows a list of training frequency questions followed by a typical question that would lead such a list of question. That question is:
“Does the facility require individuals granted unescorted accesses to the facility to attend security awareness training at the facility?”
Usually, such a qualifying question, if answered ‘No’ would remove the frequency questions from the SSP tool for that facility. Finding this question at the end of the section kind of defeats that purpose. These security awareness training questions ask how often the described training is conducted with responses of: monthly, quarterly, semi-annually, annually, biennially, triennially, never. All but the last question in the group asks about ‘recognizing and detecting’ a variety of threats, ranging from ‘explosive materials’ to ‘characteristics and behavioral patterns of persons who are likely to threaten security’. The last question in the section is the ‘odd man out’. Instead of ‘recognizing and detecting’ it asks about “general techniques used to circumvent security measures?” While it is slightly different from the other questions in the group it does provide some recognition of the fact that potential adversaries will be attempting to subvert or by-pass facility security procedures. Background Investigation Questions There is another set of questions that seems to be slightly out of place in the RBPS. They deal with background investigation; an area that will certainly be dealt with in more detail in RBPS #12, Personnel Surety. This final section in RBPS #6 has three questions requiring a ‘Yes’/‘No’ response. Adequacy of Procedures As noted about there are a number of questions in this RBPS section that ask if the facility has a procedure to deal with ‘X’. The answers to such question are invariably ‘Yes’/‘No’, but anyone that has ever worked with regulatory agencies knows that there may be along way between having a procedure and having an ‘acceptable’ procedure. At this point DHS in the CFATS process DHS is not asking to see a copy of the procedure mentioned in the question; it is simply asking if the facility has a procedure. When the first inspector shows up after the SSP is approved to verify that the facility is actually implementing the approved SSP, the inspector will want to see copies of each of the procedures asked about in the SSP questions. Whether the facility has separate procedures for each of the security areas identified or one massive procedure is probably of little consequence. DHS is not going to have the manpower or time available to review each of the procedures in detail. With the wide variety of types and sizes of facilities covered by the CFATS regulations each of these procedures will be unique and it would be way too time consuming to do an in depth review either at the facility or back at the ‘office’. What I would not be surprised to see is DHS developing at some time in the future would be ‘procedure’ tools under CFATS to help them do a more detailed evaluation of procedures. They would be the same type answer the questions and fill in the blank type tools that have become so familiar to CSAT users.

No comments:

/* Use this with templates/template-twocol.html */