Tidbits from Security Summit Presentations

As I noted yesterday, DHS has posted copies of the slides used in their presentations at the 2009 Chemical Sector Security Summit on the CSSS web site. In today’s posting I’ll abstract some of the interesting (to me at least) bits of information that can be found in these slides. I still don’t have much in the way of supporting information; just the copies of the slides. Ammonium Nitrate Regulations “Background Check − Individuals registering with DHS will have their identifying information screened against information in the Terrorist Screening Database (TSDB)” “Registration Numbers – Individuals registering with DHS will generally be issued or denied registration numbers within 72 hours of receipt of a complete registration application” “Manner of storage of records − Facilities have discretion over the creation, formatting, and storage of their records, provided they contain the required data fields” “Any AN seller who has knowledge of a theft or unexplained loss of AN must report such theft or loss to Federal law enforcement within 24 hours of discovery” “For loss reporting, an individual must report any loss of AN where the loss deviates from the amount of loss that typically occurs during routine production, storage, transportation, or use of AN” “An individual who is denied an AN Registered User Number has a right to appeal that decision, and the appeal must be heard in 72 hours” “An individual who is denied an AN Registered User Number has a right to appeal that decision, and the appeal must be heard in 72 hours” “DHS expects to publish the AN NPRM this fall” “DHS will conduct extensive outreach on the AN regulations” Chemical Facility Anti-Terrorism Standards Overview “Current Preliminary Tiering – 6,400 total facilities” “Top-Screen Resubmissions – 4,002 received “123 Tiered Up (Error 72/Material Modification 31) [3%] “1,537 Tiered Down (Material Modification 1020)” [38%] [2,342 No change by my calculations – 59%] “SVA Review Process and Tiering Engine – “Subject Matter Expert (SME) reviews of each for chemical, physical and cyber security “Tiering engine assigns overall risk score (CxVxT), ensuring consistent application of methodology and appropriate final tiering demarcation points “Review process identifying facilities/companies needing immediate action” “Personnel Surety portal status (TSDB check for RBPS 12, Personnel Surety) − “Working with SCO and TSA to build portal “PRA published in FR June 10, comment period closes August 10 “Scheduled to be operational in late 2009” “DHS receives and reviews a facility’s SSP for the following: “Compliance with due date (date received vs. due date) “Administrative completeness and accuracy “Description of the Security Risk Management Program- “Quantitative review via Security Risk Engine “Qualitative review via DHS SMEs: Physical Security Analyst, Cyber Security Analyst, Chemical Analysts” “Indefinite Agricultural Production Facilities Top-Screen Extension “Issued December 20, 2007 for possession of COI solely for preparation for treatment of or during application to crops, feed, land or other areas on an agricultural production facility “Next Steps - “Use current CFATS authority to direct distributors to complete supplemental Ag-focused questions (Shared with USDA for comment week of 6/22) “Evaluate regulatory approach based upon data review (possibly set Ag COI STQs)” Chemical-terrorism Vulnerability Update “In the event of any disagreement between the facility and the public official regarding the precise CVI to be disclosed or the method of disclosure, DHS encourages the parties to refer the matter to DHS.” “In the event of any disagreement between the facility and the Federal Official regarding the disclosure of CVI or the method of disclosure, the parties to refer the matter to DHS.” Site Security Plan Development and Inspections “Preparation for Inspection “Pre-visit logistics –availability of required personnel, facilities, and site assets, etc. “Assembly of supporting documentation –procedures, plans,records, etc. that support the facility characterization, asset characterization(s), and explanation of RBPS satisfaction described in the Site Security Plan.” Site Security Plan “SSP tool allows for multiple preparers (CVI Certified) − “Identify relevant facility, company and corporate level expertise “Organize SSP team members “Clarify individual responsibilities “Schedule the SSP’s completion, validation, and submission “SSP submitters will be locked out when multiple users are loggedin “The last answer cancels the previous answer in the SSP” Theft & Diversion: Prevention and Compliance “This RBPS, especially the ‘Theft’ element, applies to some degree to virtually all covered facilities, insofar as a facility is not covered in the first place if it has no ‘potentially dangerous chemicals’.” “Diversion is the criminal act of acquiring a product (or service) by means of deception.” “DHS expects to see specific measures addressing both the “straightforward”issue of theft and the more complicated issue of diversion in some combination depending on the Tier Level.” “Another excellent source document on counter-diversion programs is the Drug Enforcement Administration's Chemical Handler’s Manual” Voluntary Practices and Industry Practices “Bi-annual Classified Briefings “The SSA sponsors classified briefings for cleared industry professionals in order to assist them with prioritizing the level and type of security measures to implement “Both physical and cyber threats are briefed and any other topics of interest to chemical supply chain professionals” “The Chemical Sector is participating in a pilot program to improve cyber information-sharing processes which includes monthly calls between small trusted cyber security group in the Chemical Sector, the National Cyber Security Division (NCSD) and Chemical SSA” “Voluntary Chemical Assessment Tool (VCAT) “The web-based tool facilitates a cost-benefit analysis allowing users to select the best combination of physical security countermeasures and mitigation strategies to reduce overall risk” “Multi-plant tours designed to give public sector partners involved with chemical security an opportunity to see firsthand the security measures at facilities” General Comments Looking at these slides, it certainly seems like the Chemical Sector Security Summit should have been a worthwhile meeting to attend. But give the fact that there are over 6,000 covered facilities there is no way that the Summit was large enough to include participation of even just a single representative of each facility. The Chemical Sector Coordinating Council and the Chemical Sector-Specific Agency, the co-sponsors of the event, need to consider web casting the presentations.