On Friday the American Chemistry Council posted their “Alternate
Security Program (ASP) Guidance for CFATS Covered Facilities” on their web
site. This .PDF document, along with its two embedded .DOCX documents provide
information and a template for submitting an alternative (this is the DHS
terminology) security program to DHS in lieu of the complete Site Security Plan
DHS provides on its Chemical Security Assessment Tool (CSAT) site.
ASPs
Section 550(a) of the Homeland
Security Appropriations Act of 2007 specifically authorizes the DHS
Secretary to “approve alternative security programs established by private
sector entities, Federal, State, or local authorities, or other applicable laws
if the Secretary determines that the requirements of such programs meet the
requirements of this section and the interim regulations”.
In a number of Congressional hearings I have heard
Congressmen incorrectly explaining to industry and DHS witnesses that the ASP
allows DHS to “give industry credit for work they have already done on site
security”. This is very misleading in that there are no provisions in the law
or regulation that allows the approval of an ASP for a security program that
does not meet the standards set forth in the Risk
Based Performance Standards (RBPS) Guidelines document based upon §27.230
of the CFATS interim regulations.
Nor does the preparation of an ASP obviate the need for
using the Site Security Plan tool within CSAT. The SSP tool will, in fact, be the
tool used to submit the ASP. After the facility ensures that the Facility
information portion of the tool has been completed, the SSP tool {Site
Security Plan Instruction Manual, pg 29} will ask four questions about the
potential use of an ASP:
• Does the ASP address each
security/vulnerability issue identified in the facility’s SVA, and identify and
describe security measures to address each such security/vulnerability issue? [Q:5.61-18413]
• Does the ASP identify and
describe how security measures selected by the facility will address the
risk-based performance standards and potential mode of terrorist attack? [Q:5.61-18414]
• Does the ASP identify and
describe how security measures selected and utilized by the facility will
address each applicable performance standard for the appropriate risk-based
tier for the facility?
• Does the ASP provide other
information that the Assistant Secretary has deemed necessary, through the DHS
Final Notification Letter or other means, regarding facility security? [Q:5.61-18416]
Only if a submitter can answer ‘Yes’ to all four questions
should the ASP be submitted.
So, if all of the work necessary to prepare an SSP has to be
done anyway, why use an ASP? The answer is three-fold.
First, the document that a facility will upload to the SSP
tool for their ASP (in the case of this ASP in any case) will actually be able
to serve as a formal site security plan. The document will actually be able to
be read and understood by both facility personnel and DHS Chemical Facility
Inspectors, and the information will be readily accessible. The same cannot be
said for the printed copy of the question/answer format of the DHS SSP tool.
Second, we know that the current SSP tool has proven to be
totally inadequate as an effective data collection device. The routine
responses to the questions asked in the tool have not provided adequate
information for DHS analysts to determine if the facility site security plan
adequately addresses the RBPS guidelines. This ASP does seem to me to better
address the data collection needs of DHS, making for a smoother SSP approval
process.
Finally, at the end of the day, the approved SSP (SSP/ASP)
will serve as the standard by which the facility security program is measured
in all future inspections by DHS. A formal document like the one prepared in
this ASP will be a much better reference for facility personnel and DHS
inspectors to go back to determine what the actual approved security program is
for that facility; something that cannot be easily done with the current SSP
tool format.
The ACC ASP
The American Chemistry Council is a large industry group
that represents a significant portion of American chemical production
companies. They developed this ASP principally as a tool for their member
organizations that have facilities covered by the CFATS program. As I currently
understand things the ACC will allow anyone to use their ASP. There is no
log-in required to be able to download the document and the ACC has no way of
know who uses their format to submit data to DHS.
As would be expected, the ACC is not making any specific
claims about the use of this ASP; they have no control of the information the
facility places within the document. Their guidance document clearly states
that:
“ACC takes no
responsibility for any action taken by an individual ACC member or other party.”
The format and style has been approved by DHS. That does not
mean that DHS will automatically approve an SSP submitted using this format. It
simply means that DHS has worked with ACC and that the format, properly
executed, should be able to provide the necessary information in a format that
DHS can use to evaluate the efficacy of the facilities SSP.
According to Scott Jensen, Director for Issues
Communications at the ACC, there have been at least two facilities that have
used this ASP to complete their SSP filing. In both instances, the folks at DHS
used a protocol that was used very successfully in the development of the Top
Screen and the Security Vulnerability Assessment tools; they had folks
(analysts and inspectors) on site during the submission process to see how
things actually worked on the ground. Their feedback along with comments from
the facility teams, allowed the ACC to do the fine tuning necessary to make
this a workable ASP format.
More Work Required
One thing is very clear to me, it is going to take much more
work to complete the ACC ASP than it would be to answer the questions in the
DHS SSP. Writing out the information in clear and understandable prose can be
hard work, much harder than clicking on boxes or preparing short answers to
specific questions. On the other hand nobody has gotten a site security plan
authorized based upon the submission of the SSP tool. DHS has had to come back
and dig for additional information to get what they needed.
Additionally, the facility was going to have to write a
useable site security plan document in any case and that was going to be
duplicative work. Why not use the same document to fulfill both requirements?
Future Posts
As my long time readers will have come to expect, I’ll be
taking a more detailed look at the ACC ASP in future blog posts.
Posts
1 comment:
I have read your post, which I find to be very well done, as one might expect.
However, your observation that the ASP would take more work to complete is not actually the case. In fact, the opposite was reported by several owner/operators who were involved in the pilot testing and said that the ASP saves significant time over the SSP. This is true mainly due to the amount of duplication that is eliminated in the ASP versus the SSP.
The ACC ASP provides guidance and instruction on the type of information and the level of detail needed to complete a successful ASP. Much of this guidance and instruction was developed in cooperation with DHS. This should be no surprise, since DHS is the one who has to analyze them. The DHS field inspectors who participated in the pilots also reported that the ACC ASP offers a significant improvement over the SSP for use during auditing.
We believe the ASP will be very helpful toward simplifying and streamlining the process for both the regulated community and DHS.
While there is more work to be done, the willingness of DHS to work with industry is a step in the right direction. Moving this type of partnership forward will be critical to the overall success of CFATS and enhancing chemical security across the nation.
Regards, Bill Erny, American Chemistry Council
Post a Comment