Sunday, March 11, 2012

More on ISCD Hearing – Industry Suggestions

Earlier this week I noted in a blog post on the ISCD hearing held before a subcommittee of the House Homeland Security Committee on Tuesday that the industry witnesses had offered suggestions about how the CFATS implementation could be improved. None of this was directly mentioned in the oral presentations or addressed in the questioning by the Subcommittee (with the exception of one tiny inconsequential question and answer), but it was included in the written testimony of Timothy Scott (DOW/ACC) and Bill Almond (SOCMA).

There wasn’t anything that was really new in these suggestions; SOCMA and ACC have been mentioning most of these for some time now; but this was an appropriate venue to bring them up. It would have been nice if there had been more time for consideration/discussion of these suggestions, but that is a common problem with congressional hearings; just not enough time for a discussion of all of the interesting and important topics.

The suggestions fall into three broad categories:

• TWIC-Personnel Surety Program

• Alternative Security Programs

• Outside Inspectors

TWIC-Personnel Surety Program

There is one area where there is broad agreement between management and labor and Democrats and Republicans is that the personnel surety program being developed (‘being developed’ for a number of years) by ISCD for use by CFATS facilities to fulfill the requirement of the Risk-Based Performance Standard #12 should ‘give full credit’ for the TWIC and other federal identity documents that include vetting against the Terrorist Screening Database (TSDB).

What everyone (except ISCD) wants is for facilities not to be required to submit information to an ISCD Personnel Surety Tool for any employee that has a TWIC or HME (those being the two most common federal programs that would be represented by significant numbers of chemical personnel). ISCD wants information on TWIC/HME holders to be submitted so that they can check that those documents are still current; something that facility security managers can and should do. ISCD has made clear that it wants a list of everyone that is a CFATS employee or has unaccompanied access to a high-risk (CFATS) chemical facility; just not why that list is important or even necessary.

If this is all that the TWIC discussion was really about, this would be a no brainer. Congress should step in and tell DHS that the TWIC fully meets the requirements for vetting personnel against the TSDB. OOPS, congress, in their Section 550 (Department of Homeland Security Appropriations Act 2007) authorization language, specifically told DHS that they could not require any specific security measure. And Congress put nothing in that language requiring vetting against the TSDB; another of the many problems caused by the political failure of Congress to pass a comprehensive chemical facility security bill.

Another problem that has not been addressed in the discussion about TWICs is that many in the chemical industry intend to use the TWIC instead of managing their own personnel surety program. Currently ISCD intends for each facility to do its own background check on each employee and on each guest given unaccompanied access to restricted areas of the facility with ISCD only getting involved in the TSDB vetting. If a facility were to require possession of a TWIC as a condition of employment and require all site visitors and contractors to also have a TWIC, they would not have to worry about the liability issues related to conducting and evaluating criminal background checks.

Some of the facilities (perhaps even most) will reimburse employees for the cost of obtaining a TWIC. There will certainly be a significant number that will not cover that cost, thus passing a portion of the cost of their personnel surety program onto employees. Since (as I understand it) the TWIC fee is an application processing fee will any of these companies reimburse employees that cost if they are denied a TWIC?

And there is the legal issue that has yet to be resolved; TWICs are used by ‘transportation workers’ that require access to MTSA covered facilities. Each applicant is required to affirm on their application that they require access to an MTSA facility as a requirement of their job. Since CFATS facilities are, by law, not MTSA covered facilities, companies requiring TWICs as a prerequisite for employment, will be asking many people to lie when they make that affirmation, a crime under federal law.

Congressman Lungren’s (R,CA) Subcommittee would do well to hold a hearing or two about this specific TWIC/CFATS issue and craft legislation as appropriate.

Alternative Security Programs

Congress in their extensive guidance to DHS about the establishment of the CFATS program (more than just a little sarcasm here) did authorize the Secretary to “approve alternative security programs established by private sector entities, Federal, State, or local authorities, or other applicable laws if the Secretary determines that the requirements of such programs meet the requirements of this section and the interim regulations”. This sounds like a great way for DHS to reduce their review/inspection workload; however, the very next paragraph of §550 says:

“Provided further, That the Secretary shall review and approve each vulnerability assessment and site security plan required under this section” {§550(a)}.

ISCD has set-up on-line tools for submission of data to be reviewed. The Site Security Plan tool is not really a site security plan, but rather a series of questions about the SSP. The answers to those questions are supposed to allow ISCD to evaluate if the SSP meets the risk-based performance standards outlined in 6 CFR 27.230. Since facilities submitting an alternative security plan still have to meet those standards, ISCD needs to review those submittals as well.

The only difference is that there will be a different format used for that data submission. I certainly don’t see how this will make ISCD’s work load any easier to bear. Either the submission will be an actual written ASP (an actual readable document that will explain what security measures are to be in-place, how they will be implemented, and who will have what responsibilities in implementing and enforcing those measures) or it will be another questionnaire about such a plan that ISCD will use in the same manner as they use the responses to their SSP tool.

Now I suppose that it is entirely possible that the ACC, or SOCMA, or any other industry supported organization could come up with an on-line data submission tool that would collect more appropriate data and/or organize the data collected in an easier to evaluate format. If that is the case (and the current SSP tool is very incomplete and poorly organized at best) then the ASP will be helpful. The only problem is that if every different industry organization comes up with a different ASP submission format; that is going to aggravate the current training problems at ISCD. And that isn’t going to improve anything.

Outside Inspectors

There was one relatively new suggestion made by Mr. Scott in the memo attached to his prepared testimony. On page 6 of that testimony/memo he makes the following proposal:

“DHS should consider an alternative self-inspection program for lower tier facilities (Tiers 3&4) using accredited third-party auditors. This alternative inspection program could be monitored with statistical sampling (audit schedule) by DHS CFATS inspectors to verify compliance. This would help streamline the program by lessening the burden on the DHS inspection cadre and allow DHS to focus resources and attention on higher risk facilities (Tiers 1 & 2). Existing private sector programs could be leveraged under this concept including the Responsible Care Security Code Program, which is mandatory for membership in ACC and requires third-party certification by an accredited third-party auditor.”

This idea does have a certain appeal. It would cover the vast bulk of the 4,000+ facilities currently in the CFATS program and it would certainly allow inspectors to spend more time at the highest risk facilities conducting final approval inspections and periodic re-inspections to allow for assurance that the programs are being properly maintained.

This would, however, specifically violate another congressional mandate in §550:

“The Secretary of Homeland Security shall audit and inspect chemical facilities for the purposes of determining compliance with the regulations issued pursuant to this section.” {§550(e)}.

So, DHS could consider this idea, but it would require specific congressional authorization to implement. I can just hear Rep. Thompson (D,MS) complaining about ‘inherently governmental functions’ when this comes up for discussion.

Besides, this will do nothing to address the current problems that ISCD is facing in getting SSPs approved. The compliance inspections have yet to start and we have many years to go before Tier 3 and 4 facilities will have to start to worry about compliance inspections.

The Real Problem

These industry suggestions, and even the Anderson-Wulf report, do not address or even identify the real problem that ISCD is having with the approval of SSPs at Tier 1 facilities. These facilities are huge and complicated and even the most basic security plan for them will also be huge and complicated. ISCD really had no idea how large or complicated an oil refinery (for instance) is or how complex a security plan for such a facility would have to be.

It quickly became obvious to all involved that the SSP tool was nowhere near complex enough to gather the data necessary to determine if the SSP was adequate to cover the 18 risk-based performance standards (RBPS). This is why DHS had to institute the ‘pre-authorization’ inspection program that were never included in the original CFATS program outlined in 6 CFR Part 27. Oh, and by the way, there is no authorization or requirement in those regulations to conduct those inspections.

If (and that is always an exceedingly large word in meaning if not spelling) they now have enough information to make that evaluation they face the second basic problem with CFATS program; ISCD cannot dictate what security measures are necessary to achieve compliance with those RBPS. Thus, ISCD has to negotiate with facility management as to what security measures will meet the requirements of the CFATS program. Again, this negotiation process is not specifically spelled out in the CFATS regulations, but is an inherent result of the congressional restrictions placed on DHS.

Now, I am reasonably certain that ISCD does not have the personnel trained in both security and chemical processing necessary to determine specifically what security measures are appropriate at any given facility. So there is no way that they should be given the authority to dictate security measures. This means that we are stuck with the current, and necessarily slow, SSP authorization process.

Additional inspectors and staff review personnel may help to speed up the process some. Some additional speed will come from the experience gained in previous negotiations on both the industry and government side of the table. And additional speed will be gained when the facilities are smaller and less complex.

But none of the items under discussion in these hearings, or probably anything in the Anderson-Wulf report will address this underlying problem. Until we start discussing this issue nothing can be done to significantly improve the time that it takes to complete the SSP authorization process.

No comments:

/* Use this with templates/template-twocol.html */