I recently had an interesting conversation with a reader associated with ISCD (who will remain nameless for obvious reasons). One of the topics that came up was how ISCD goes about approving site security plans.
The Approval Process
Now ISCD is a little vague on the details of the process that they use to review a submitted SSP, but the basic outline is this:
An initial review of the submission is done at ISCD HQ. This includes a rough overview to ensure that all of the required information is included. Then it gets divided up and sent off to various subject matter experts (SME) for a more detailed review of the submission data. ISCD HQ may ask facility for missing information or clarification of inadequate information.
Chemical Security Inspectors (CSI; I still hate that name, Gil Grissom comes immediately to mind) make a series of visits to the facility (Pre-authorization inspection and authorization inspection are generally the minimum) to actually look at the facility, clear up any misunderstandings about submitted information and to actually look at the facility to ensure that the submitted data bears a good resemblance to what is happening on the ground. The CSI will make a recommendation about the status of the SSP.
A final review is done at ISCD HQ and based on some sort of review of SSP submission data, CSI recommendations and HQ subject matter experts recommendations a ruling is made on the SSP. The good ones get an authorization letter and get put on the list for an approval inspection. The ‘bad’ ones go back into the submit data, review, inspect, and review cycle until they get put into the authorized list. Uncooperative facilities can get transferred into the civil enforcement process, but I haven’t heard of any being placed in that track in the SSP process.
Which Review Gets the Most Weight
The question that came up in the conversation that I mentioned earlier is how do you weight the two different types of reviews, the ones conducted by CSI and the ones conducted by SME? Or to put it another way, when there is a conflict between the two types of recommendations, who does the final authorizing authority side with?
Now both reviews are valuable and necessary, but if there is a conflict in the conclusions reached in the two types of review, I would certainly have to side with the people on the ground. Since they are the ones that had a chance to walk the facility and actually look at what was on the ground, they should have a better appreciation for both how seriously the facility is taking their security program, how well the folks are actually trained to fulfill their security roles and how well the security measures mesh together in a security zeitgeist.
This is particularly true for facilities that do not use an alternative security plan (ASP) like the ACC ASP. As I have noted on a number of occasions, the current SSP questions are really inadequate for the purpose of eliciting adequate information allowing for a full SME review of the SSP. Facilities must use the free form description blocks to be able to adequately describe all of the necessary characteristics of a particular security measure.
Facilities that have good writers or consultants that know what verbiage the DHS SME are looking for will not have a problem with giving those SME adequate information to get an SME approval recommendation. A favorable review in this case may clear an inadequately secured facility.
A facility without a good writer that is versed in security matters or, lacking that, a well-connected contractor will be at a severe disadvantage in this HQ review process. They will not be able to paint the proper picture in the eye of the SME that will result in a favorable review.
Boots on the Ground
At one point in my Army career I was responsible for doing security inspections of subordinate units; physical security, classified document security, communications security and the like. I wasn’t long in that job before I could pretty much tell you what my inspection report to the Commander would be like within seconds of entering the facility. You could see all of the little signs that indicated that the unit either took their security requirements seriously or were just going through the motions.
I’m sure that CSI going into a new facility can tell the same thing. And they will see the little things that will never make it into written descriptions of the security measures. Thing like does the facility use a single vertical support for the barbwire outrigger on corner fence posts or two 45° outriggers to carry the barbwire around the corner.
Boots on the ground, particularly well trained boots (and more about that later) will be able to provide a much better overall evaluation of the actual SSP on the ground. That certainly does not obviate the need for SME reviews of the submitted written record, but the role of the SME should be to provide the CSI with pointers of specific things to look at when conducting the inspection.
Out of Balance
It seems like the balance may have been shifting recently to favoring the SME evaluation over the CSI evaluation. At this particular point in the SSP review process this is a particularly inappropriate time for such a switch. Most of the largest, most dangerous facilities have completed their initial process. As a rule those facilities had either trained security management personnel on staff, or could pay for the support of well connected contractor.
We are now beginning to move into the inspection of the typically smaller, less dangerous facilities that generally do not have on staff security management personnel nor are they usually going to have the money to hire the most experienced contractors. They are going to have a more difficult time getting adequate descriptions of their security measures to the SME.
As long the ISCD SSP approving authority is willing to weight the acceptance of SSP recommendations to favor the CSI, these smaller facilities will get a fair assessment of their security strategies. If we are seeing the reported shift back to favoring SME recommendations, then we are going to see a slow-down in the authorization and approval process.