Wednesday, October 21, 2009
As I noted last week on my personal blog, I was interviewed for two different articles on the CFATS program and the new legislation that may change that program over the next couple of years. Yesterday the first of those articles was posted on SecurityDirectorNews.com. That article by Leishen Stelter addresses the uncertainty that facilities are facing as they submit their first site security plans under CFATS. Risk Based Performance Standards The first uncertainty is due to the nature of the CFATS regulations and their authorizing legislation. Since Congress forbade DHS from specifying security measures that could be required for SSP approval, DHS was only able to outline 18 risk based performance standards (RBPS) that the facilities were required to address in their site security plan. To help facilities adequately address those performance standards, DHS published the Risk Based Performance Standards Guidance document. Because of the requirements of the authorizing legislation (§550 of the FY2007 DHS Appropriations Bill) the metrics provided for each of the 18 RBPS in the Guidance are less than precise in their specifications. Each one uses descriptive phrases to describe what must be accomplished rather than clearly measurable requirements of what must be done. This means that as each facility Submitter clicks on the ‘submit’ once their SSP submission is complete, there is an inherent uncertainty as to whether or not DHS will view the SSP as adequate. In December, DHS is scheduled to start sending inspection team to the Tier 1 facilities that completed their SSP submissions last month. If the inspectors bless the plans the facilities will know that they interpreted the Guidance document correctly. It is not clear that facilities with an unapproved SSP will receive anymore detailed guidance on how to correct their deficiencies; §550 still rules. The lower ranked tiers take little consolation from the fact that Tier 1 facilities will get their SSP’s evaluated first. Because of the Chemical-Terrorism Vulnerability Assessment rules that restrict sharing of facility security information, the follow on tiers will get little additional guidance from the inspections being conducted on the higher risk tiers. CFATA Legislation To add to that confusion, Congress is still in the process of trying to craft a permanent and ‘comprehensive’ authorization for the CFATS program. The current §550 authorization for CFATS expires on October 31st. The FY 2010 DHS Appropriations bill that was just sent to President Obama yesterday will provide an additional 11 months of extension for that authorization while Congress bangs out the details of the new legislation. What seems clear at this point in the legislative process is that the Democratic leadership of the House of Representatives is convinced that a Chemical Facility Anti-Terrorism Act should address a number of perceived deficiencies in the original authorization for CFATS. The current legislation working its way through the House committee process will result in a number of significant changes in the way that DHS will regulate chemical facility security. What those changes will be has yet to be determined by the political process. So, while high-risk chemical facilities are working hard on getting their SSP’s submitted and approved, they are also watching the political process change the landscape of their regulatory world. As they spend money on installing security equipment that may or may not be adequate for the current regulations, they face the prospect that even those vague requirements are in the process of changing. The only saving grace is that even if the current legislation were approved tomorrow, it would be at least 18 months before the new regulations will go into effect. So, the facility security teams working on their SSP need to ignore, for now, the political machinations that will affect their next iteration of the SSP process. They need to concentrate their work on finalizing their current SSP; leave upper management to worry about the final wording of the final CFATA legislation.