It is always nice to know that readers are paying attention to the details. Jon Greenwood posted a comment on my post about the first responder training at the meat processing facility. When I wrote about security issues being addressed, Jon commented:
“What about CVI for CFATS facilities? I don't believe that includes the press, and members from the local schools, churches, and civic organizations. The first responders definitely have a "Need to Know", and I believe every facility should include them in their security plans. I guess that's why there is a section for them in the SSP. But if I was an SSO of a facility, I don't think I'd want the general public to know about the security features (or lack of, in some cases) at my facility and I think that would violate CVI unless all those people had CVI.”
Jon is obviously correct, I did not address the Chemical-Terrorism Vulnerability Information (CVI) issue in my comments and should have. Anytime there is a discussion about security issues for any kind of facility (CFATS or not), careful attention must be paid to the make-up of the audience. Depending on the level of detail provided in the discussion, there is a very good chance that only CVI cleared personnel would be able to hear the discussion of security issues. This is going to be one of the major headaches for a facility security officer. How can they determine what information they can share about the facility security plan? Now the average fireman or cop on patrol is probably not going to be CVI certified, but they should be aware of many of the provisions of the security plan so that they can properly respond to an emergency on site. There should be people in the various departments of the local emergency response community, however, that are properly certified for CVI access so that they can participate in the security planning process. But even these people will not need to be read in on all of the details of the plan. Public Involvement Having said that, I would maintain that there should be some level of involvement of the local community in the security process. First off, they are going to have to be made aware of their personal responsibilities in the emergency response plan for an attack on the facility; that ERP should be an integral part of the security plan. Every neighbor that would be affected by a successful attack is going to have to know how to respond in that event, in order to protect themselves. This means that they are going to have to know how to determine that they are at immediate hazard, and how to respond to various possible outcomes from a successful attack. Trying to explain this to them as a toxic cloud forms outside their home is too late.
Additionally, neighbors can be a valuable resource in identifying the early stages of the preparation for an attack on the facility. They would probably be the first to recognize strangers in the area; strangers conducting pre-operational reconnaissance. They would be able to report suspicious behaviors and unusual questions being asked about the facility. For them to be actively involved, they are going to have to be educated about the potential risk, the things they could be expected to report, and how to make such reports. Completely shutting them out of the security process because they are not CVI certified is short sighted. They don’t need to be informed about much of the security plan, but they do need to know that the facility is potentially at risk of being a target of a terrorist attack.