This is part of a continuing discussion of the recently
passed HR 4007, Protecting and Securing Chemical Facilities from Terrorist
Attacks Act of 2014. As promised in one of the earlier posts this post will
look at the process to be used by expedited approval facilities (EAF). The previous postings in this series were:
Establishing the
Program
As I mentioned in an earlier posting DHS has 180 days to get
the EAF program established. Thus, by June 16th, 2015 we should have
the guidance for the program from DHS. Remember, DHS is specifically not
required to go through the publish and comment cycle nor do they need to
receive OMB clearance of this program, either the guidance document or the
information collection request (ICR) under 44
USC 3507. This means that we are unlikely to receive much advance notice of
the provisions in the guidance document.
DHS has three basic options on how they are going to proceed
with this EAF program development:
● Publish a guidance document that
is little more than a list of required minimum security measures that a Tier 3
and/or Tier 4 facility would have to have to obtain approval of their site
security plan (SSP). Facilities would then certify compliance and submit their
SSP using the current CSAT tool.
● Develop a new CSAT tool
specifically for the EAF program. The tool would be a template {authorized, but
not required, under §2102(c)(4)(H)} where facilities would fill in the
appropriate blanks that would be a substitute for the current CSAT SSP tool and
then certify compliance.
● A combination of the two above.
I would like to see the second option. It would seem to me
to be the simplest way to proceed for the EAF owners, which was clearly the
congressional intent. The cheapest and easiest way out for ISCD though would be
the first option since it would only require publishing a new guidance document
(that would have to be published in any case) and would not require any
substantive changes to CSAT. I suspect that the blended approach will be what
we actually see; ICSD will publish the guidance to meet their 180 day deadline
and then at some future date put the CSAT template into use.
Facility
Participation
Starting on June 16th CFATS covered facilities
then assigned to Tier 3 or Tier 4 that do not already have approved site
security plans will have 30 days to look over and assess whether or not they
want to continue to attempt to have their current site security plans approved
or whether they want to seek approval under the EAF program. This 30 day period
could be important to facilities since they are required to give ISCD 30-days’
notice {§2102(c)(4)(D)(iii)} before submitting the certification and SSP.
Existing facilities would have until November 13th,
2015 (120 days) to submit their certification and SSP. Because of the 30-day
notice requirement any current facility that has not notified ISCD by October
14th, 2015 that they intend to submit and EAF certification and SSP
will have to go through the current SSP process.
While DHS will be specifying minimum security requirements
in their guidance for facilities participating in the EAF program, those
minimums are not set in stone. Congress has given facilities the option to use
lesser security measures as long as they explain in their site security plan
how those measures actually meet the requirements of the risk-based performance
standards {§2102(c)(4)(B)(ii)}. But, DHS still has the final responsibility and
authority to decide if those standards are met.
EAF Site Security
Plan Approval
The whole purpose of the EAF program is to expedite the SSP
approval process. With this in mind Congress provided a 100-day time limit for
DHS to make a decision that the SSP is ‘facially deficient’ or obviously does
not “address the security vulnerability assessment and the risk-based
performance standards for security for the facility” {§2101(7)}. Lacking such
an assessment the SSP will be approved.
Congress did not intend for chemical security inspectors to
be involved in the EAF approval process, but they did not prohibit their
involvement either. The decision is supposed to be made based on four factors {§2101(7)}:
● The facility’s site security
plan;
● The facility’s Top-Screen;
● The facility’s security
vulnerability assessment; or
● Any other information.
That ‘any other information’ is specifically and broadly
defined to include any information “the facility submits to the Department; or
the Department obtains from a public source or other source”. That covers just
about any means the Department decides to utilize, as long as it is done within
100 days of the submission.
Disapproved EAF SSPs
If during the 100 day DHS review of the SSP, or after a
compliance inspection (I’ll look at compliance inspections in more detail in a
later post) of the facility after the SSP is approved, the Secretary (read
ISCD) determines that the security measurements are “insufficient to meet the
risk-based performance standards based on misrepresentation, omission, or an
inadequate description of the site”, the Secretary has two options {§2102(c)(4)(G)(ii)(I)}:
● Require additional security
measures, or
● Suspend the certification of the
facility.
In either case DHS is required to provide written notice
that includes “a clear
explanation of each deficiency in the site security plan”;
this would include specific suggestions for additional security measures. If
the deficient facility would like to remain in the EAF program they would then
have 90 days to submit a new certificate and SSP and DHS would have 45 days to
review the new submission. If the facility declined to resubmit an EAF certification,
they would have 120 days to submit a full site security plan or an alternative
site security plan.
Posts
No comments:
Post a Comment