This is the third in a series of blog posts about the recently published American Chemistry Council Alternative Security Plan for the CFATS program. The earlier posts are listed below. This post will look at the “Alternate Security Program (ASP) Template Guidance and Instructions” (Instructions) that is imbedded in the “Alternate Security Program (ASP) Guidance for CFATS Covered Chemical Facilities” (Guidance document) that forms the core of the downloadable program.
The Instructions can be found on page 18 of the Guidance document. Click on the first ‘paperclip’ symbol on the page and you will open the file:
ACC ASP Template Guide and Instructions Final20121130.docx
The numbers at the end of the file name may change as the ACC updates and revises this program.
Chemical-Terrorism Vulnerability Information (CVI)
It was mentioned briefly in the ASP Guidance document that everyone that will be accessing the partially completed SSP/ASP document will have to be CVI trained and certified. Once any information about the security of the facility is entered into the template it becomes a document requiring CVI protection. Make sure that everyone who will be working with this information has completed the online training course and copies of their training certificates are on file.
Before You Start
Pages 2 thru 9 of the Instructions provide a general set of guidelines that should be followed when filling out the template. I strongly recommend that the entire team that will be working on the SSP/ASP preparation carefully read those 7 pages of the Instructions and be familiar with the any of the Risk Based Performance Standards (RBPS) in the RBPS Guidance document published by DHS that they may be responsible for. This familiarity will make it much easier to fill in the template with verbiage that includes the key words and phrases in the RBPS that the folks at DHS ISCD will be looking for in their evaluation of the SSP/ASP.
There is a brief discussion of the RBPS in the ASP Guidance document and there are two brief explanations of the RBPS in the Instructions, but both documents gloss over a very important point. While DHS may not (prohibited by Congress) specify a particular security measure they do spell out in the RBPS Guidance document the way they will measure compliance (RBPS Metrics) with each RBPS at the specific Tier level to which a facility has been assigned. The difference between the required performance metrics for two different tiers may be one word, eg: ‘routinely’ vs ‘usually’. Including these key words in the description of a security measure may make it easier for DHS analysts to understand the intent of the security plan.
One of the more confusing ideas that DHS included in their CFATS program was the idea of “Attack Scenarios”. Security professionals initially thought that the seven scenarios proposed by DHS were the proposed design basis for the security plans, attacks that had to be prevented for the plan to be successful. That was not the intent of DHS. As the Instruction document explains (pg 3):
“Rather, the attack scenarios are analytical devices, supporting the evaluation of a facility’s security and enabling DHS to conduct comparative risk analysis across the sector.”
The Security Metrics in the RBPS explain how well the facility (at its specific tier level) must be able to deal with those scenarios. As the Instructions document explains, not all attack scenarios apply to each RBPS. But, when they do apply they should be specifically addressed in the words that are put into the template so that it is clear to the ISCD analysts that the facility has addressed the issue.
There is a nice discussion in the Instructions document about the differences between perimeter based and asset based security measures. Essentially, the ‘perimeter based’ approach includes the entire facility whereas the ‘asset based’ approach only provides security measures for a specific area of the facility where a COI is found. For a facility with a single high-risk COI, it may make more economic sense to confine the bulk of the security measures to the area where that COI is used/stored. For facilities with multiple COIs at varying security levels, it may make more sense to protect the facility at the level for the COI with the lowest tier ranking (provided by DHS) and reserve the more complex security arrangements for the area around the highest tier-ranked COI.
As noted on page 5 of the Instructions document:
“In the description of a specific security measure, ASP preparers should describe whether it is applied facility wide or to specific assets.”
Too Much Information
As the Instruction document alludes to, the problems that ISCD has had with not being able to authorize SSPs have been in large part due to not receiving enough information from the facility about their security plans. So generally speaking, the more the better, but there is a limit. As the Instructions document states on page 7:
“On the other hand, the preparer may wish to limit detail that does not relate to the listed COI or the performance of the specific security measure or system, to allow for minor changes without the need for ASP resubmission.”
This is an important point that needs to be clearly understood by facility management. Once the SSP/ASP is authorized by DHS it is essentially a legally binding document outlining the inspectable requirements for facility security under the CFATS program. The congressional prohibition against specifying particular security programs no longer applies. If a subsequent ISCD inspection does not find an authorized component of the SSP/ASP in place, the facility may be fined up to $25,000 per day or even shut down (an extreme case to be sure) for non-compliance. Any changes to the authorized ASP must be approved by ISCD before they are made.
One way to get around some of this problem will be to include the little details of the plan in separate documents describing specific procedures and processes. The Instructions document notes that:
“It is not necessary to include the text of every procedure that is described in the ASP. Use an unambiguous reference that is clear to facility personnel and that inspectors can request by name for review, for example, ‘Suspicious Activity Reporting Procedure S.4.01’.”
There must be, however, enough detail in the submitted ASP to allow the ISCD analysts to determine if the RBPS Security Metrics have been met.
Take Credit for Everything
The last topic that is specifically discussed in the first nine pages of the Instruction document is a reminder to take a careful look at everything that the facility does to determine if it contributes to security. Many process safety and almost all emergency response measures already in place at the facility may contribute to the security plan, particularly the ‘Response’ RBPS. Simple things like referring to a COI by a company product name rather than an easily recognizable chemical name will make it harder for an attacker to find their target. Pages 8 and 9 of the Instruction document provides a short list of things to look at.
Just remember, though, if you take credit for it and list it in the ASP you must continue doing it until DHS gives you permission to change.
The remainder of the 30 page Instruction document is an annotated copy of the template. Explanatory material and completion suggestions are provided in blue type. Almost everything in black type should remain in the submitted document with appropriate additional supporting information. I’ll look at the actual template in some detail in later blog posts.