I’m hearing interesting rumblings from those in the CFATS field that as more and more small chemical facilities are getting visited by DHS Chemical Security Inspectors (CSI, oh that hurts; maybe CBS should sue for copyright infringement) a new ‘security issue’ is being found with increasing regularity. While these facilities appear to be doing a yeoman’s job at actually securing the chemicals on site, they are having problems documenting their security procedures.
As DHS moves into the site security plan authorization and approval process in the Tier 3 and Tier 4 facilities, they are encountering a large number of small facilities, frequently with less than 10 employees on site and no corporate EHS&S support. The Security Manager at these types of facilities is frequently the same person that handles all of the other regulatory compliance issues for the facility along with another full time job related to chemical production or distribution.
This routinely means that while security measures might be employed, there is little time for preparing all of the documentation that goes into supporting a real security plan. There are dozens of written procedures and processes that the CSI need to be able to see when they arrive on site to verify that the facility understands its security program and is properly implementing all of the necessary support requirements that are part and parcel of the physical security investments that have been made.
For example, there might be a bright new 10 foot security fence with razor wire topper and an automated gate that opens only to employee ID cards, but there needs to be a document that describes the processes that support that fence. That barrier plan document would include a description of:
• Who/what the fence was designed to keep out;
• How the fence is kept under observation to ensure that no one cuts or climbs over it;
• How often the fence is inspected for physical integrity;
• Who is responsible for ensuring that defects are repaired;
• What is done while a defect is awaiting repair to compensate for the deficiency;
• How the employee ID cards are issued and controlled;
Each and every security measure that a facility employs needs this sort of documentation that can be shown to a visiting inspector (along with supporting records that show that required periodic actions are being taken). Without that documentation, the DHS cannot really tell if a facility is really properly secured.
CSAT Tool Lacking
It looks like the original intent of the developers of the Chemical Security Assessment Tool (CSAT) was to provide an on-line data entry tool that would allow much of this type of documentation to be bypassed, making the job of security managers much less complicated. Unfortunately, by the time DHS got around to implementing the Site Security Plan (SSP) portion of the tool it became painfully obvious that there was not enough time, money or support available to prepare an SSP tool that could do more than ask some general questions about a very complicated series of security topics.
I understand that suggestions have been made that DHS Infrastructure Security Compliance Division (ISCD, the folks that run the CFATS program) provide an on-line series of templates for the various supporting plans and documents that may be needed by a facility to support their SSP. For some fairly obvious reasons, that has not been done.
First off, ISCD is already stretched pretty thin doing what it is already required to do; authorize, approve and inspect 3000+ site security plans. We can argue whether or not they should have developed such templates as part of the original SSP tool development process, but that is water under the bridge and the current management team was not in charge of that process. At this point in time they don’t have the time, money or personnel to accomplish that type of template development.
I am hearing rumors that a variety of facilities that have already been authorized and approved have offered to allow some of the documents that they have produced to be used as templates (after filing off the appropriate nameplates and serial numbers, of course). This is quite heartening and a positive sign of how well the industry accepts their general responsibility for chemical security in general.
Unfortunately, the §550 bugaboo once again rears its ugly head; “the Secretary may not disapprove a site security plan submitted under this section based on the presence or absence of a particular security measure”. ISCD has, from its very inception taken this congressional restriction very seriously (too seriously in my opinion, but then again, I don’t have to go back to Congress every year of reauthorization either). One just has to look at the repeated weasel wording in the Risk-Based Performance Standards guidance document to see how seriously the Department takes this requirement.
There is no way that ISCD is going to provide templates for SSP support documents for fear of running afoul of this restriction. Additionally, the Department lawyers would vociferously argue against providing such templates for fear having to defend ISCD against legal complaints when facilities that used such templates were found wanting in their SSP plan implementation. Templates would have to be generally enough written that a lot would still depend on how the various blanks were filled in. Besides, chemical facilities covered under CFATS are so diverse that it is unlikely that a single template, no matter how generally written, would cover all situations.
It looks like Congress, reading the full language of the §550 authorization, actually thought that there would be a viable solution to this issue. We can see this in the language related to alternative security plans (ASP). They thought that the various areas of the chemical industry would come up with generic security programs tailored to the specific requirements and security issues facing that industry segment.
Unfortunately, to date only one ASP has been developed that is in wide spread use and that is the one that was introduced just over a year ago by the American Chemistry Council (ACC). The ACC’s ASP is much closer to being an actual site security plan template than is the SSP tool in CSAT. It is still, however, falls short of the actual policies and procedure documents that need to be in place at all CFATS covered facilities. And there is a good reason for this; the ASP document once submitted and authorized/approved by DHS cannot be changed without approval of DHS.
Policies and procedures supporting the ASP need to be living documents that can be changed and modified to fit changing circumstances. As long as those changes don’t materially modify the processes approved by DHS there should be no need to burden the ISCD folks with a change approval request. So the data submitted to the DHS in the ASP needs to cover much of the same information as would found in the policy and procedure documents, but not in quite so much detail. (NOTE: Finding the acceptable limits of that detail is what is taking so much time in the SSP authorization and approval process.)
In any case, it would be helpful if the various chemical industry support groups would help the smaller companies in their organizations by developing template documents for many of the security policies and procedures that facilities would have to have in place to support their SSP.
While I am on the topic of ASPs, I heard a very interesting comment from the field the other day about why DHS is not pushing the ACC ASP. Now Director Wulf has made an official statement in support of the use of the ACC ASP, but there is nothing on the DHS CFATS web sites specifically mentioning the ACC ASP, and there is certainly no link to the ASP on the DHS sites. Some are questioning this lack of support.
The comment I heard this week is that the reason for this lack of support is that the cost of the design and maintenance of the current CSAT tool would be hard to justify if there were wide spread adoption of the ACC ASP. While I would not be surprised to hear that there were individuals associated with the CSAT development that might have their feeling hurt to hear that their SSP tool was less than adequate (AND IT CERTAINLY IS THAT), I do not think that is why the current management team at ISCD has not made their support for the ACC ASP more widely known.
First off, any federal bureaucrat has to be very careful about how they endorse a commercial product. While the ACC ASP is certainly free-of-charge for use the ACC and its affiliated companies are commercial enterprises, so Director Wulf has to be careful in that respect. Also, as other ASPs hopefully come into use failure to publicly recognize and support those with the same alacrity that they supported the ACC ASP could lead them into political problems, so a measured approval is probably politically prudent.
There should be, however, a link on the SSP homepage to any and all ASPs that have been approved by DHS. If there is only one such link because only one such program has been approved by ISCD, then so be it. This should serve as an incentive for other organizations to develop their own industry specific templates.