This is part of a continuing discussion of the recently
passed HR 4007, Protecting and Securing Chemical Facilities from Terrorist
Attacks Act of 2014. In this post I will be looking at new expedited approval facility
provisions of HR 4007. The previous postings in this series were:
One of the suggested methods for reducing the backlog of
site security plan approvals has been that there ought to be a simpler method
for smaller, lower threat facilities to get their site security plan (SSP)
approved. One suggested method has been to use a system similar to what the EPA
uses for water treatment facility security; the facility would certify that it
meets the security requirements specified in the Risk
Based Performance Standards guidance document. Congress took this basic
idea and made it a little bit more complicated when they created the expedited
approval facility (EAF) program in §2102(c)(4).
DHS Requirements
To start this program off, the bill requires the Secretary
to accomplish two tasks within 180 days of the bill being signed into law. They
are:
● Issue guidance for expedited approval
facilities that identifies specific security measures that are sufficient to
meet the risk-based performance standards {§2102(c)(4)(B)(i)}; and
● Develop prescriptive site
security plan templates with specific security measures to meet the risk-based
performance standards under subsection (a)(2)(C) for adoption and certification
by a covered chemical facility assigned to tier 3 or 4 in lieu of developing
and certifying its own plan.
Actually the second item is permissive not required and
there is no actual time limit associated with the Department’s publication of
templates. I’ve included it here for two reasons; it is specifically mentioned
in the EAF program {§2102(c)(4)(A)(ii)}and Congress gave the same exemption
from the regulatory approval process that it gave the Secretary for development
of the EAF guidance (see the previous
post in this series for more details on this exemption).
After a facility makes its site security plan submission (as
described below) DHS has 100 days {§2102(c)(4)(G)(i)(II)}to make a
determination that the submitted plan if ‘facially deficient’, otherwise the
plan is considered approved. The term ‘facially deficient’ means that the {§2101(7)}:
(S)ite security plan that does not
support a certification that the security measures in the plan address the security
vulnerability assessment and the risk-based performance standards for security
for the facility, based on a review of—
(A) the facility’s site security
plan;
(B) the facility’s Top-Screen;
(C) the facility’s security
vulnerability assessment; or
(D) any other information that—
(i) the facility
submits to the Department; or
(ii) the
Department obtains from a public source or other source
I’m not sure how the good folks at ISCD are going to get
this review system set up, but they have been specifically authorized by this
bill to employ contractors for conducting this sort of review (not making the
final go/no go decision – that’s a purely governmental responsibility). Whether
they can get it set up in time is a question for a future date. From the
facility point of view, if they can’t get the review done in 100 days, it doesn’t
matter; the plan is automatically approved.
Owner Requirements
Things get a little more complicated from the owner’s point
of view. Let’s talk timelines first. The starting point for timelines for
existing CFATS facilities that have had their security vulnerability
assessments accepted by ISCD and have been assigned to Tiers 3 or 4 is 210 days
after the bill becomes law (which is 30 days after ISCD is supposed to have
their guidance document published). Facilities notified of their tier ranking
after the bill is signed start on the date of their tier notification.
Facilities have 120 days to submit their site security plan
and certification that the plan conforms to the guidance provided by ISCD. At
least 30 days before the certification is sent, the facility must notify ISCD
that they intend to certify as an expedited approval facility {§2102(c)(4)(D)(iii)}.
Actually the certification is just a tad bit more complicated than that; the
owner/operator certifies that {§2102(c)(4)(C)}:
(i) the owner or operator is
familiar with the requirements of this title and part 27 of title 6, Code of
Federal Regulations, or any successor thereto, and the site security plan being
submitted;
(ii) the site security plan
includes the security measures required by subsection (b);
(iii)
(I) the security measures in the
site security plan do not materially deviate from the guidance for expedited
approval facilities except where indicated in the site security plan;
(II) any deviations from the
guidance for expedited approval facilities in the site security plan meet the
risk-based performance standards for the tier to which the facility is
assigned; and
(III) the owner or operator has
provided an explanation of how the site security plan meets the risk based performance
standards for any material deviation;
(iv) the owner or operator has
visited, examined, documented, and verified that the expedited approval facility
meets the criteria set forth in the site security plan;
(v) the expedited approval facility
has implemented all of the required performance measures outlined in the site
security plan or set out planned measures that will be implemented within a
reasonable time period stated in the site security plan;
(vi) each individual responsible
for implementing the site security plan has been made aware of the requirements
relevant to the individual’s responsibility contained in the site security plan
and has demonstrated competency to carry out those requirements;
(vii) the owner or operator has
committed, or, in the case of planned measures will commit, the necessary resources
to fully implement the site security plan; and
(viii) the planned measures include
an adequate procedure for addressing events beyond the control of the owner or
operator in implementing any planned measures.
I expect that we will see the certification as a form in
CSAT with check marks in the appropriate places. Oops, maybe not as the bill
clearly states that the certification must be “signed under penalty of perjury”.
So I guess this will probably be another sign and send to ISCD form.
Compliance
This post is starting to get more than a little long, so I’ll
look at the compliance issues in another post.
Posts
No comments:
Post a Comment