This is part of a continuing series of blog posts on the newly released Expedited Approval Program (EAP) guidance document for Tier 3 and Tier 4 facilities under the Chemical Facility Anti-Terrorism Standards (CFATS) program. Other posts in the series are:
In this post I will look at how the guidance document is organized and how it is intended to be used. As I noted earlier this program was mandated by Congress as a means to allow Tier 3 and Tier 4 facilities to have an easier method of determining what security measures meet the Risk Based Performance Standards (RBPS) that are required for all facility site security plans.
Instead of having to determine what security measures might meet the appropriate standards (and then have ISCD inspectors come out and agree or disagree in the SSP authorization/approval process) Congress authorized ISCD to specify minimum security requirements that would meet those standards for Tier 3 and Tier 4 facilities. So, even if a facility decides not to use the EAP process, this document can be used to supplement the RBPS guidance to select appropriate security measures for the standard SSP process.
COI Specific Security Measures
While most security measures apply to all facilities, there are many measures that are only required if a specific category of chemical of interest (COI) is listed on the facilities security vulnerability assessment. Those security measures are clearly marked and the facility is given the option to not use those measures by indicating that the listed COI category is not found on the facility.
In establishing these minimum security measures ISCD recognizes that there will be variations in how that measures are applied. They have defined two categories of variations, material deviations and non-material deviations. For many of the security measures specified there will be alternatives that are spelled out in the EAP that can be used to meet that requirement. The introduction to the EAP uses the example of the requirement for an intrusion detection system (IDS); the non-material deviations for that include a listing of different detectors that could be used in such a system.
Anytime that a facility chooses not to use one of the specified security measures that is considered a material deviation from the EAP. Each material deviation must be documented and an explanation given for how an alternative is used to meet the standards specified in the RPBS. This means that the metrics provided in the RBPS guidance document for that particular standard must be referenced with an explanation of how they are being met.
As part of the review process for the EAP SSP submissions, ISCD will closely look at each of the material deviations to determine whether or not the substitute measure meets the RPBS for that particular metric. If it does not, ISCD will notify the facility which material deviations were not adequate and how to correct them.
A facility does not have to have all listed security measures in place when they submit their EAP SSP. The EAP provides for the use of planned measures to fulfil some requirements. A planned measure must have “a clear timeline for implementation not to exceed twelve (12) months from date of the approval” (pg 9). It is not specifically stated in the EAP, but the 12 months is probably related to the time frame after the approval of a site security plan that a facility should begin to expect a compliance inspection of that SSP by ISCD.
Planned measures have to be specifically identified in the SSP submission. That identification needs to include a description of the systems to be implemented and the time line for that implementation. If a planned measure cannot be met within that 1 year time limit, the measure becomes a material deviation from the RBPS and must be separately justified.
In addition to completing the EAP SSP documentation the facility owner or operator will also be required to certify that the SSP meets the requirements of 6 USC §622(c)(4)(C). A copy of the certification document is included as Attachment 1 of the EAP guidance document (pg 60).
Approval and Inspection
Once the facility submits the SSP documentation and certification (presumably via the CSAT tool, but that has not been officially announced yet), DHS has 100 days to approve the SSP. The only reasons for disapproval would be if a facility did not acknowledge implementing all of the appropriate security measures for the COI identified at that facility or had submitted inadequate substitute measures for one or more material deviations.
At some point at least 12 months after the site security plan is approved by DHS, the Chemical Security Inspectors from ISCD will visit the facility to conduct a compliance inspection. Theoretically, this could be the first time that the facility was visited by a CSI. In practice almost all facilities currently covered by the CFATS program have been visited by a CSI team at least once. The only possible exceptions are facilities that have been recently added to the program.
If that compliance inspection finds that any of the implemented or planned security measures reported in the SSP are insufficient to meet the requirements for the RBPS, DHS may require additional security measures to be implemented or may decertify the facility.