There is a bit of a rambling article over on SecurityManagement.com that looks at issues with CFATS and ‘comprehensive chemical security management’. While it is sometimes hard to follow, the article by Salamone, Fuller and Leith from AcuTech make some very good points about the relationship between a comprehensive security policy for high-risk chemical facilities and the requirements of CFATS.
Probably the most important point of the article is that the CFATS program is an anti-terrorism program, not a security program. A comprehensive security program at a high-risk chemical facility will of course include anti-terrorism elements, but it must also address factors like industrial espionage, pilferage, and work-place violence. While there will be some overlap in security techniques, there will be significant security requirements for these other areas that would not be typically covered in an anti-terrorism program.
Written Security Plan
The article also points out that the SSP submission required under CFATS is a data collection effort, not a site security plan. The CSAT SSP is an attempt by DHS to capture data about the security effort at a high-risk chemical facility so that they can evaluate the adequacy of that effort. No one will be able to utilize that data submission package to manage the security at the covered facility.
A plan will still have to be written that will assign responsibilities for actions by the full range of employees at that facility in support of the anti-terrorism security program. One would have to assume that the DHS inspectors doing the implementation inspection would want to see a written plan to be able to understand how, for example, the security personnel will be implementing the checking of vehicles entering the facility.
The AcuTech authors briefly discuss the pros and cons of keeping the CFATS security plan separate from the comprehensive facility security plan. They note that if the two are combined, the non-terrorism related portions of the plan may be inspectable by DHS CFATS inspectors. While DHS has not completely discussed how they will be doing their inspections to verify implementation of the SSP, they have made clear that they intend to use the data submitted in the SSP as their guide to the inspection.
DHS has also made it clear that the facility can designate security measures on their SSP that are not to be included in the DHS evaluation of the SSP. This may be the appropriate method of keeping non-terrorism related security measures out of the CFATS inspection process. That would certainly be easier than trying to maintain separate security plans.
The final point that the article makes may be a little bit hard to deal with while you are working on your initial Site Security Plan; there is change in the wind. Anyone watching the political news will surely realize that the CFATS regulations are expected to change, if not this year, then probably next year. The authors note that those changes “might include re-evaluation and a potential change to the list of COI, identification of different threats, more comprehensive screening and vulnerability assessment steps, and more detailed security plans”.
Planning for future regulatory changes should be considered while the facility is working on the current compliance plan. As the closing statement in the articles says: “facility security managers who take the broader view now will be prepared to meet the challenges of the future and their facilities will be better positioned with long-term security investments that will be applicable to changes in future chemical security regulation”.