Wednesday, December 24, 2014

HR 4007 – The EAF Process

This is part of a continuing discussion of the recently passed HR 4007, Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014. As promised in one of the earlier posts this post will look at the process to be used by expedited approval facilities (EAF).  The previous postings in this series were:

Establishing the Program

As I mentioned in an earlier posting DHS has 180 days to get the EAF program established. Thus, by June 16th, 2015 we should have the guidance for the program from DHS. Remember, DHS is specifically not required to go through the publish and comment cycle nor do they need to receive OMB clearance of this program, either the guidance document or the information collection request (ICR) under 44 USC 3507. This means that we are unlikely to receive much advance notice of the provisions in the guidance document.

DHS has three basic options on how they are going to proceed with this EAF program development:

● Publish a guidance document that is little more than a list of required minimum security measures that a Tier 3 and/or Tier 4 facility would have to have to obtain approval of their site security plan (SSP). Facilities would then certify compliance and submit their SSP using the current CSAT tool.

● Develop a new CSAT tool specifically for the EAF program. The tool would be a template {authorized, but not required, under §2102(c)(4)(H)} where facilities would fill in the appropriate blanks that would be a substitute for the current CSAT SSP tool and then certify compliance.

● A combination of the two above.

I would like to see the second option. It would seem to me to be the simplest way to proceed for the EAF owners, which was clearly the congressional intent. The cheapest and easiest way out for ISCD though would be the first option since it would only require publishing a new guidance document (that would have to be published in any case) and would not require any substantive changes to CSAT. I suspect that the blended approach will be what we actually see; ICSD will publish the guidance to meet their 180 day deadline and then at some future date put the CSAT template into use.

Facility Participation

Starting on June 16th CFATS covered facilities then assigned to Tier 3 or Tier 4 that do not already have approved site security plans will have 30 days to look over and assess whether or not they want to continue to attempt to have their current site security plans approved or whether they want to seek approval under the EAF program. This 30 day period could be important to facilities since they are required to give ISCD 30-days’ notice {§2102(c)(4)(D)(iii)} before submitting the certification and SSP.

Existing facilities would have until November 13th, 2015 (120 days) to submit their certification and SSP. Because of the 30-day notice requirement any current facility that has not notified ISCD by October 14th, 2015 that they intend to submit and EAF certification and SSP will have to go through the current SSP process.

While DHS will be specifying minimum security requirements in their guidance for facilities participating in the EAF program, those minimums are not set in stone. Congress has given facilities the option to use lesser security measures as long as they explain in their site security plan how those measures actually meet the requirements of the risk-based performance standards {§2102(c)(4)(B)(ii)}. But, DHS still has the final responsibility and authority to decide if those standards are met.

EAF Site Security Plan Approval

The whole purpose of the EAF program is to expedite the SSP approval process. With this in mind Congress provided a 100-day time limit for DHS to make a decision that the SSP is ‘facially deficient’ or obviously does not “address the security vulnerability assessment and the risk-based performance standards for security for the facility” {§2101(7)}. Lacking such an assessment the SSP will be approved.

Congress did not intend for chemical security inspectors to be involved in the EAF approval process, but they did not prohibit their involvement either. The decision is supposed to be made based on four factors {§2101(7)}:

● The facility’s site security plan;
● The facility’s Top-Screen;
● The facility’s security vulnerability assessment; or
● Any other information.

That ‘any other information’ is specifically and broadly defined to include any information “the facility submits to the Department; or the Department obtains from a public source or other source”. That covers just about any means the Department decides to utilize, as long as it is done within 100 days of the submission.

Disapproved EAF SSPs

If during the 100 day DHS review of the SSP, or after a compliance inspection (I’ll look at compliance inspections in more detail in a later post) of the facility after the SSP is approved, the Secretary (read ISCD) determines that the security measurements are “insufficient to meet the risk-based performance standards based on misrepresentation, omission, or an inadequate description of the site”, the Secretary has two options {§2102(c)(4)(G)(ii)(I)}:

● Require additional security measures, or
● Suspend the certification of the facility.

In either case DHS is required to provide written notice that includes “a clear

explanation of each deficiency in the site security plan”; this would include specific suggestions for additional security measures. If the deficient facility would like to remain in the EAF program they would then have 90 days to submit a new certificate and SSP and DHS would have 45 days to review the new submission. If the facility declined to resubmit an EAF certification, they would have 120 days to submit a full site security plan or an alternative site security plan.

No comments:

/* Use this with templates/template-twocol.html */