This is the third in a series of blog posts about the
recently published American Chemistry Council Alternative Security Plan for the
CFATS program. The earlier posts are listed below. This post will look at the “Alternate
Security Program (ASP) Template Guidance and Instructions” (Instructions) that
is imbedded in the “Alternate
Security Program (ASP) Guidance for CFATS Covered Chemical Facilities” (Guidance
document) that forms the core of the downloadable program.
The Instructions can be found on page 18 of the Guidance
document. Click on the first ‘paperclip’ symbol on the page and you will open
the file:
ACC ASP Template Guide and
Instructions Final20121130.docx
The numbers at the end of the file name may change as the
ACC updates and revises this program.
Chemical-Terrorism Vulnerability Information (CVI)
It was mentioned briefly in the ASP Guidance document that
everyone that will be accessing the partially completed SSP/ASP document will
have to be CVI trained and certified. Once any information about the security
of the facility is entered into the template it becomes a document requiring
CVI protection. Make sure that everyone who will be working with this
information has completed the online
training course and copies of their training certificates are on file.
Before You Start
Pages 2 thru 9 of the Instructions provide a general set of
guidelines that should be followed when filling out the template. I strongly
recommend that the entire team that will be working on the SSP/ASP preparation
carefully read those 7 pages of the Instructions and be familiar with the any
of the Risk Based Performance Standards (RBPS) in the RBPS
Guidance document published by DHS that they may be responsible for. This
familiarity will make it much easier to fill in the template with verbiage that
includes the key words and phrases in the RBPS that the folks at DHS ISCD will
be looking for in their evaluation of the SSP/ASP.
RBPS
There is a brief discussion of the RBPS in the ASP Guidance
document and there are two brief explanations of the RBPS in the Instructions,
but both documents gloss over a very important point. While DHS may not (prohibited
by Congress) specify a particular security measure they do spell out in the
RBPS Guidance document the way they will measure compliance (RBPS Metrics) with
each RBPS at the specific Tier level to which a facility has been assigned. The
difference between the required performance metrics for two different tiers may
be one word, eg: ‘routinely’ vs ‘usually’. Including these key words in the
description of a security measure may make it easier for DHS analysts to
understand the intent of the security plan.
Attack Scenarios
One of the more confusing ideas that DHS included in their
CFATS program was the idea of “Attack Scenarios”. Security professionals
initially thought that the seven scenarios proposed by DHS were the proposed
design basis for the security plans, attacks that had to be prevented for the
plan to be successful. That was not the intent of DHS. As the Instruction
document explains (pg 3):
“Rather, the attack scenarios are
analytical devices, supporting the evaluation of a facility’s security and
enabling DHS to conduct comparative risk analysis across the sector.”
The Security Metrics in the RBPS explain how well the
facility (at its specific tier level) must be able to deal with those
scenarios. As the Instructions document explains, not all attack scenarios
apply to each RBPS. But, when they do apply they should be specifically
addressed in the words that are put into the template so that it is clear to
the ISCD analysts that the facility has addressed the issue.
Security Approach
There is a nice discussion in the Instructions document
about the differences between perimeter based and asset based security
measures. Essentially, the ‘perimeter based’ approach includes the entire
facility whereas the ‘asset based’ approach only provides security measures for
a specific area of the facility where a COI is found. For a facility with a
single high-risk COI, it may make more economic sense to confine the bulk of
the security measures to the area where that COI is used/stored. For facilities
with multiple COIs at varying security levels, it may make more sense to
protect the facility at the level for the COI with the lowest tier ranking
(provided by DHS) and reserve the more complex security arrangements for the
area around the highest tier-ranked COI.
As noted on page 5 of the Instructions document:
“In the description of a specific
security measure, ASP preparers should describe whether it is applied facility
wide or to specific assets.”
Too Much Information
As the Instruction document alludes to, the problems that
ISCD has had with not being able to authorize SSPs have been in large part due
to not receiving enough information from the facility about their security
plans. So generally speaking, the more the better, but there is a limit. As the
Instructions document states on page 7:
“On the other hand, the preparer
may wish to limit detail that does not relate to the listed COI or the
performance of the specific security measure or system, to allow for minor
changes without the need for ASP resubmission.”
This is an important point that needs to be clearly
understood by facility management. Once the SSP/ASP is authorized by DHS it is
essentially a legally binding document outlining the inspectable requirements for
facility security under the CFATS program. The congressional prohibition
against specifying particular security programs no longer applies. If a
subsequent ISCD inspection does not find an authorized component of the SSP/ASP
in place, the facility may be fined up to $25,000 per day or even shut down (an
extreme case to be sure) for non-compliance. Any changes to the authorized ASP
must be approved by ISCD before they are made.
One way to get around some of this problem will be to
include the little details of the plan in separate documents describing
specific procedures and processes. The Instructions document notes that:
“It is not necessary to include the
text of every procedure that is described in the ASP. Use an unambiguous reference that is clear to
facility personnel and that inspectors can request by name for review, for
example, ‘Suspicious Activity Reporting Procedure S.4.01’.”
There must be, however, enough detail in the submitted ASP
to allow the ISCD analysts to determine if the RBPS Security Metrics have been
met.
Take Credit for Everything
The last topic that is specifically discussed in the first
nine pages of the Instruction document is a reminder to take a careful look at
everything that the facility does to determine if it contributes to security.
Many process safety and almost all emergency response measures already in place
at the facility may contribute to the security plan, particularly the ‘Response’
RBPS. Simple things like referring to a COI by a company product name rather
than an easily recognizable chemical name will make it harder for an attacker
to find their target. Pages 8 and 9 of the Instruction document provides a
short list of things to look at.
Just remember, though, if you take credit for it and list it
in the ASP you must continue doing it until DHS gives you permission to change.
The Template
The remainder of the 30 page Instruction document is an annotated
copy of the template. Explanatory material and completion suggestions are
provided in blue type. Almost everything in black type should remain in the
submitted document with appropriate additional supporting information. I’ll
look at the actual template in some detail in later blog posts.
Posts
No comments:
Post a Comment