Site Security Plan Article

This is an interesting period for the chemical security community. The Senate is getting ready to start working on CFATS legislation while there is a renewed interest in general on counter-terrorism issues. Tier 1 facilities are starting to go through the inspection process while the other tiers are finishing up their SSP submissions. This renewed emphasis on CFATS is reflected in a number of magazine and web articles on the process. I recently found one such article on SecurityManagement.com; “The Skinny on CFATS”. Site Security Plan This article by Joseph Straw gives a good feel for the Site Security Plan process even if it lacks on details on how the process works. It does make a good point that the name of this phase of CFATS implementation is more than a little of a misnomer. As I have mentioned in other blog postings, a ‘plan’ normally connotes an organized document that lays out objectives and explains how they will be met. As this article explains the SSP is not really a plan, but rather a lengthy questionnaire about the security measures in place at the facility. Even that is a simplification of the SSP process. Unless a facility has been hard at work in upgrading their security measures to meet the risk based performance standards (RBPS) outlined in last year’s RBPS Guidance Document, it is extremely unlikely that ‘current’ security measures in place will be enough to get an SSP approved. But DHS has a simple solution to that problem, they will give you credit in the SSP for ‘Planned Security Measures’ as long as the facility can demonstrate that there is really a plan firmly in place for implementing those measures. The article also makes the point that the SSP submission/approval process is more like a negotiation between the facility and DHS. Since DHS is prohibited by statute from specifying particular security measures in the SSP approval process, a facility just has to be able to demonstrate that their particular combination of security measures fulfills the performance criteria of the RBPS. The article does kind of gloss over one final point on the SSP process, however. Once the SSP submission is approved, DHS looks on that document as a ‘security contract’ between that facility and DHS. All subsequent inspections by DHS will be done to ensure that the facility is in compliance with that now enforceable contract. The §550 prohibition against ‘requiring specific security measures’ will no longer apply to that facility. If the facility said that it would have a security measure in place, then DHS will expect to find it in place when they come to inspect. ‘Planned Security’ measures must be proceeding according to the documented plan. Alternative Security Plans The article does mention that there is an alternative to completing the ‘1,500 questions’ in the SSP tool, the submission of an ‘alternative security plan’ (ASP). Conceived in the §550 language this was included to ensure that facilities with an already existing robust security plan would not have to re-invent their plan. DHS has expanded the idea to allow any facility to upload a security plan into the SSP tool as an alternative to answering most (certainly not all) of the questions in that tool. Given the ‘problems’ that facilities had in getting initial approval of their security vulnerability assessment (SVA) using an alternative security plan in lieu of answering the SVA tool questions, I doubt that there will be many facilities that will get initial acceptance of the ASP. That certainly does not mean that facilities, particularly those single COI facilities mentioned in the article, should not try this option. Just expect to have to answer directed questions from DHS about RBPS issues not well addressed in the ASP. Facilities planning on submitting an ASP should probably do a quick look at the SSP questions to see what type of information DHS is requesting. Ensuring that the appropriate information is in the ASP before it is submitted will help getting it approved. A large number of the questions in SSP would be expected to be answered in the negative for most facilities, those negative responses wouldn’t need to be included in the ASP. But if something is in the SSP and the facility has it as part of their security set-up it needs to be included in the ASP submittal. Other Articles This is not the only article currently out there about the CFATS program. While I may not be able to review all of them, I certainly want to point my readers at as many of these articles as possible. If I miss any, please let me know either by email or as a comment to this blog posting.