Saturday, January 5, 2013

ACC ASP – Template

This is the fourth in a series of blog posts about the recently published American Chemistry Council Alternative Security Plan for the CFATS program. The earlier posts are listed below. This post will look at the “ACC ASP Template Final20121107” (Template) Word file that is imbedded in the “Alternate Security Program (ASP) Guidance for CFATS Covered Chemical Facilities” (Guidance document) that forms the core of the downloadable program.

Protective Markings

The template is essentially the same as the last twenty pages of the on the instructions that I discussed in the earlier post. There are, however, some important differences between the two. First the template includes all appropriate Chemical-Terrorism Vulnerability Instruction (CVI) markings that will have to be on the document when it is submitted to DHS, including front and rear ‘cover’ pages and a footer “warning” statement. As soon as any facility information is placed in the template it becomes a document requiring CVI protection.

Any attached documents will require the same cover pages and page markings. Cover pages can be found on the CVI web page.


The basic format of the document is an outline based upon the outline found in the Table of Contents. The outline markings are based upon bullet points instead of letters or numbers. If you want to change it to a more classical outline that allows easy reference to the paragraphs within the sections that can easily be done in Word®. Personally I would use a numbered outline system for reasons that will be clearer shortly.

Unlike the template found in the Instruction document, the page numbering on the Table of Contents page is not actually linked to the section headers. One of the last things that you are going to want to do before submitting the completed ASP document in the DHS CSAT SSP Tool will be to put the appropriate page numbers in the Table of Contents. This will actually make it easier to copy sections from the template into separate documents to farm out the completion of the information to different people or teams. Again, remember that the CVI marking and protection rules will have to followed for those abstracted sections as soon as any facility information is entered.

Duplicate Information

There will be places in the document where the same information will be entered in different places. While DHS won’t be concerned about seeing duplicate (the key here is that it really is duplicate) information in multiple places, there is a good reason for not writing the same information in more than one place. If you have to go back and make a change to it for some reason you may miss one or more iterations.

It will be more effective to write it one time and then refer back to it in later places in the ASP documentation using conventional notations like “{See Section 5.2(a)(1)}”. This is the reason that I suggest using number (or lettered) paragraphs within each section instead of bullet points.

Detailed Information

This bears repeating, one of the main problems that DHS has encountered with their SSP authorization process has been that an inadequate amount of information describing parts of the security process for the facility has been included in the SSP submission. While the ASP process makes submitting the information easier (and subsequently more useable) there still needs to be a sufficiency of information provided.

Remember, analysts will be sitting in an office building somewhere reading the information provided by the facility trying to determine if the security measures provide an adequate measure of protection for the facility at its present tier level. Telling them in section 5.1 that there is a chain-link fence around the facility perimeter is not adequate information, they need to be told something like this:

“The facility is protected by 1,257 feet of commercial grade chain link fence. All segments of the fence are 8 foot tall with an outward-facing 18” top-guard with four strands of razor-wire. Corner posts have two top guard supports at a 90 degree angle from each other. Fence posts are set in three foot of concrete and placed at no more than 15 foot intervals. A single course of cinderblocks set in an 18 inch deep concrete footing runs under the fence fabric between each post with anchors placed no further than three feet apart to attach the fence fabric to the cinder block.”

Okay, my fence is a bit of overkill, but it is completely described.

Not Too Much Information

Remember that every detail that you put into the ASP submitted to ISCD is an inspectable part of your site security plan. To change any of those details you have to re-submit the revised ASP and hope that it passes muster with DHS. If you make changes without that pre-approval, it could cost you up to $25,000 per day, or, in the worst case, cause DHS to issue a facility closure order.

The area that will probably cause the most problem for this is not the physical plant. The more likely area will be in processes and procedures. Where possible the process or procedure documents will be maintained in documents separate from the ASP and the title of the appropriate document will be mentioned in the ASP where necessary.

For example if you use padlocks on unloading valves as part of your process to protect access to a COI you are going to have to have some method to maintain control of the keys to those locks to prevent that unauthorized access. Rather than outlining your entire key control process you could explain that: “The keys for those valve locks are maintained in the locked key box in the Shift Supervisor’s Office and are only issued in accordance with the provisions of the Facility COI Key Control Procedure.” Once part of the authorized SSP, that wording would allow a Chemical Facility Security Inspector (CFSI) to verify that the process in that procedure was being followed, but not to evaluate the details of that process.

It would probably be a good idea to maintain a list of all of the referenced processes and procedures in Section 1 of the ASP.

Key Words and Phrases

One of the things that does not receive enough emphasis in the supporting documentation for the ASP is the importance of using certain key words and phrases when describing facility security measures. These key words and phrases can be found in the RBPS Metrics for each Risk-Based Performance Standard in the RBPS Guidance document.

For example section 5.1 of the ASP calls for a description of ‘Vehicle Barriers’ and the Security Metric 1.2 for Restrict Area Perimeter (pg 29) Tiers 1 and 2 calls for “Entrances equipped with traffic control systems to slow incoming traffic…”. Given that combination I would suggest that the description start with:

“The single vehicle gate is equipped with traffic control devices to slow incoming traffic. The traffic control devices consist of ….”

Memorandum of Understanding

There are a number of references to “MOU in place” in the “Emergency Responders, Off-sit” paragraphs of Section 2 of the ASP. An MOU is a memorandum of understanding between facility management and an organization outside of the facility (local police, fire departments, or emergency medical services for instance) that is providing some sort of support to the facility Site Security Plan.

As long as the facility is relying on an outside agency as part of its SSP, it needs to be able to show that the agency is prepared to provide the necessary services. The MOU needs to specify what type of support will be provided, under what circumstances, and what type of response time could be expected. Probably the most important aspect of the MOU is that it needs to be signed by an appropriate official of the supporting agency.

One More Posting

The next and final posting in this blog series will address how the completed ASP is submitted to DHS.

No comments:

/* Use this with templates/template-twocol.html */