DHS Updates CFATS SSP Status

Last weekend I complained about the CFATS Update being late. It turns out that I may have been a little unfair in that assessment. Yesterday the folks at the DHS Infrastructure Security Compliance Division (ISCD) posted their November CFATS Update Fact Sheet to the Critical Infrastructure: Chemical Security web site. The reason for the ‘delay’ is that they changed the ‘as of date’ from the first of the month to November 19^th to provide a full month of regulatory activity instead of reporting the calendar month that was half ate up due to the federal funding fiasco. That change in reporting period may have ended up being a political miscalculation. It turns out that there was a dramatic drop in the SSP approval rate and with the changed effective date it can’t be blamed on Congress.

The Data

To see what I mean just look at the Total Number of SSPs Authorized/Approved graph below. The number of Authorized plans continues to grow nicely, but there is only a small growth in the number of Approved plans.

The true extent of the problem can be better seen in the SSPs Authorized/Approved per Day graph below. This shows that the SSP daily approval rate is the lowest since ISCD started providing these updates in April.

In fact, if you look at the total number of facilities yet to be approved and allow ISCD a 50 week work year at 5 days per week, it will take ISCD 27.1 years to complete the remainder of the SSP approvals at the daily rate exercised in the latest period.

The Problem

Two weeks ago I reported a potential reason for this drop in approval rates. I had heard from the field that there has been an increasing number of instances where the subject matter experts at ISCD Headquarters were over ruling the recommendations from the chemical security inspectors (CSI, again PLEASE lets change their title to get rid of that acronym) on the approval of the site security plans at the smaller chemical facilities. These are the facilities that are now typically being visited in the SSP approval/authorization process.

The whole point of the tiering process in CFATS was to ensure that the lower risk facilities only had to have security measures commensurate with the risk they faced. A realistic security program has to take into account that smaller facilities (usually from smaller companies) also will not have the expertise and resources (manpower and money) to have as elaborate a security system as larger facilities. But, they also have the advantage of having fewer people on site who all know each other and know more about the facility details than would the employees and contractors at a larger facility. Security anomalies will be caught faster at these smaller facilities than would similar situations at the bigger, more anonymous chemical plants.

We should be seeing an increase in the rate of authorizations and approvals for site security plans now that the bulk of the large, complex facilities have been taken care of. It should be taking a smaller team of CSI to visit each facility. The inspections should be taking less time as there is less stuff to look at. The CSI proficiency at conducting the inspections should be increasing and the contractors supporting the facility security plans should have a better understanding of the SSP authorization and approval process. All of this means that we should be seeing an acceleration in the rate of authorizations and approvals, not a slowdown.

The Alternative View

Now there may certainly be another explanation for the delay. The FFF may have caused a number of CSI to quit, for instance (I have not heard of any such reports, but it is possible). As always, I freely offer to provide ISCD Director Wulf, or any of his staff, open access to this forum to provide another explanation for the change in the SSI approval rate.

In any case, we will be hearing an explanation when he goes back before Congress. Any one of three House committees and the Senate Homeland Security Committee are all about due to hold CFATS oversight hearings again in the near future. And they are notoriously less likely to actually listen to the response.

NOTE: Graphs were added at 11:15 CST on 11-26-13