Sunday, March 14, 2010

Reader Comment 03-13-10 SSP Experience

Dick Sem of Sem Security Management was one of the first people that I contacted when I started working on chemical facility security issues back in early 2007. I found his contact information thru an internet search. We have stayed loosely in touch since then. When he posted on that he had been working on some SSP submissions, I sent him a message, asking him to share some of his general impressions with readers of this blog. Late Saturday he left those comments appended to my recent post on the premature reports of the death of CFATS. His comments are worth reading in their entirety. He is an experienced security professional and his opinions on the process should be considered by DHS as they continue to review and update their process. One Size Fits All Dick’s ending comment is especially important. We always hear about how important it is for security measures to be risk based and how we must avoid a ‘one size fits all’ set of security requirements. In a slightly different look at this Dick writes:
“While I'm getting things off my chest, this process looks like its developers never actually saw especially small facilities with relatively limited resources. The SSP tries too much to be all things to all facilities with little concern for their size, function, location, etc. Perhaps it would have been better if there had been separate SSP's based, in addition to Tier level, upon the size of facility or type (i.e. chemical, educational, manufacturing, paper, water treatment, etc.)”
Now, I know that DHS developed all of their tools with the intention that any covered facility, regardless of size or type, could provide information about their security efforts. This means that there are many questions that will be answered “No” or “N/A” by many facilities; especially smaller facilities. I’m not sure, however, that DHS has communicated adequately that they are not expecting that facilities should be using these questions as security guidelines that must/should be followed by every facility. Part of the problem is, of course, caused by the Congressional restriction that DHS could not require specific security measures as a pre-requisite for SSP approval. I understand, and agree with, the underlying reason, but it does make it more difficult for DHS to communicate what is expected of facilities. Another problem was the short amount of time that DHS had to get this stuff all put together. There simply wasn’t time to develop separate SSP’s for each industrial sector that might have covered chemicals on-site. Though, to be fair, DHS has addressed a number of individual chemical communities with the suggestion that they develop an Alternative Security Plan process for their specific situations. Most have declined, allowing the burden to remain at the doorstep of DHS. Some individuals at ISCD have been particularly upset with the academic community in this respect. SSP Misnomer Dick Sem also points out a problem with terminology, writing about the Site Security Plan process that “And once you're done, you have a completed checklist with planned and proposed measures but no actual plan.” A number of writers (myself included) have pointed out this particular problem, but none of us have yet come up with a good solution. It certainly wouldn’t be practical for each facility to submit a compilation of all of the security procedures that are in use at a facility. For a larger facility this could easily run to a couple hundred pages of densely written pages explicating who does what to whom. Evaluating such documents at DHS would certainly be unmanageable with twice their current staff. Now, those procedures are actually more important than the SSP submission checklist when it comes to actually protecting the facility. But there is another problem with the submission of full procedures; DHS has taken the stance that the approved SSP is, in fact, an enforceable contract between DHS and the facility. Once the SSP is submitted and approved, DHS can require the facility to properly employ, train and maintain they system outlined in their SSP. Failure to do so, could result in $25,000/day fines. Now everyone knows that effective procedures must be living documents; constantly being updated and revised to reflect their operation in the real world. As long as such changes do not change the answers to the SSP questionnaire, facilities would have more leeway to make these modifications. If the actual procedures were submitted and approved, DHS would have to buy off on even the smallest procedural changes. Process Discussion One thing that we have seen is that DHS realizes that their process must also grow and evolve as lessons are learned. Comments like Dick Sem’s are an important part of the process of making the CFATS program more effective. I know that I have a significant readership at ISCD; so DHS is seeing this discussion. I would like to solicit comments from anyone that has been involved in the implementation process. Comments from security professionals are important, but so are comments from security managers of facilities that are going it alone, without advice from security professionals. System integrators and vendors will also have valuable inputs to this discussion. We do have to worry about CVI issues in this discussion. While I have decried the overuse of ‘Anonymous’ in posted comments, I would much rather have that than names that can be linked back to a single facility. And please, let’s keep the discussion generic so that no facility’s security is compromised.


Edward said...


While I in no way shape or form think that CFATS is a well oiled risk management machine, it does allow the skilled security analyst to assess the risk and implement appropriate mitigation strategies.

Here is a link to a webinar I have put on that discusses how to prepare for and develop a CFATS SSP.

Dick Sem said...

Patrick, I'd like to thank you for the thoughtful response and discussion. Two further thoughts:
Most of the questions in the SSP only allow for either "yes" or "no" answers when a "N/A" would be much more appropriate. And, the SSP does address "facility-wide security measures" pretty thoroughly and I think virtually all physical and procedural aspects of most facilities' security measures would end up being addressed in the SSP.

As to Ed's comment, while I agree that the skilled security analyst might more easily address this tool, I would think that most covered facilities don't have such a person, at least in-house. I would think that most of these are being completed by someone not in security, such as the facility EHS person. Anecdotally, an EHS person from a small chemical facility on the east coast called me and said he had attended two DHS-sponsored CFATS training programs and came out of them more confused than when he went in.

Jim Lupacchino said...

I respect Dick Sem's comments, as he made some valid points. As a consultant who assists clients work through the SSP process, I have would like to share the following:

The SSP process is a detailed, diagnostic assessment of the efficacy of a high risk facility's security posture specifically driven by the COI's security issues and the intelligence-based threat scenarios.

The SSP's 1500 questions reveal opportunities to evaluate, implement and enhance security policy, process and strategy. A by-product of the inquiry is a snapshot of the current state of the facility's security culture and practice, including risks and gaps as it relates to COI's.

The SSP not only reviews the characteristics of the physical plant and property, it also evaluates the cross functional business activities that intersect with the COI's security issues.
Sales, Human Resources, and Customer Service uniquely impact COI security at different phases of the inventory or production cycle. One effect of SSP interaction with support departments can be the bridging of "silos" within some organizations. The SSP process can initiate synergy and convergence of security awareness for a more holistic security program.

The SSP process also fosters relationships with local and state emergency services. This exchange contributes to a more thorough understanding of the challenges first responders face specific to the facility's COI.

The DHS resources that exist (CFATS Help Desk, compliance assistance visits, DHS website, etc.) to support the facility is significant. It is obvious DHS is committed to communication and collaboration.

The Risk Based Performance Standards(RBPS)Guidance document is indispensable in the SSP process. Not only does it provide clarifications on how to meet the RBPS expectations,it offers examples of security measures, practices and metrics. THE RBPS Guidance document also paints a picture of what these components might look like at different tier levels.

When combined with the current state snapshot that the completed SSP reveals, a high risk facility can began to create a security program around the assets and COI's or validate aspects of an existing security program.

As the compliance effort matures, I trust that DHS and industry will continue in dialogue regarding lessons learned and process improvement.

Ultimately, the high risk facility's ability to recognize, react and respond to modern day threats is highly dependent on a proactive, holistic and validated security program. The SSP process is a significant effort in meeting that objective.

Thank you for the work you do here and for the opportunity to comment.

Jim Lupacchino
Director, Operational Support
Day & Zimmermann Security Services

PJCoyle said...

For my response to the comments made by Clark, Lupacchino, and Sem see:

/* Use this with templates/template-twocol.html */