Today the DHS Infrastructure Security Compliance Division (ISCD) published the Expedited Approval Program (EAP) guidance document that was mandated by last year’s HR 4007. The document fulfills the new requirement of 6 CFR §622(c)(4)(B) more than a month earlier than mandated by Congress. The guidance document also includes the template for submitting the site security plan suggested by 6 CFR §622(c)(4)(H)
The EAP program is briefly described on a new CFATS web page and the document can be downloaded here. I briefly discussed the EAP concept in a blog post late last year.
The EAP program can only be used by Tier 3 and Tier 4 facilities. The deadlines for the program vary according to when the facility’s Security Vulnerability Assessment was completed and the final tier assignment made.
For facilities with a final tier assignment made before December 18th, 2014:
∙ Notify ISCD of intent to certify under the EAP – October 19th, 2015
∙ Certify compliance with EAP – November 18th, 2015
For facilities that were tiered after December 18th, the notification deadline is either the one shown above or 90 days after the tiering date, whichever is later. Similarly the certification deadline is 120 days after the tiering date or the date listed above, whichever is later.
The Chemical Security Assessment Tool (CSAT) application will begin to accept EAP notifications on June 16th, 2015 and presumably EAP submissions 30 days later.
The site security plan requirements outlined in this guidance document are based upon the Risk Based Performance Standards guidance document published in 2009. The guidance provided in this new document is, however, much more prescriptive than the earlier guidance. This is intentional and in keeping with the Congressional intent with the establishment of the EAP. This provides a facility with a level of certainty not available when submitting under the standard site security plan program (which remains an available option).
However, even with the prescriptive requirements for security measures, ISCD realizes that not all security measures will actually be required in every instance or they can be modified to a certain extent to meet unique facility situations. Provisions have been made for facilities to explain why certain prescribed security measures have not been taken and what alternatives have been applied instead.
No Solicitation of Public Comments
Congress specifically exempted ISCD from having to comply with the ‘publish and public comment’ process in publishing this guidance document. This was done in part to expedite the production of the document and allow for expediting the site security plan approval process. The internal justification for this exemption was that facilities do not have to use the EAP program; it is entirely voluntary.
I will be looking at details of the enhanced RPBS guidance in future blog posts.