Tuesday, December 18, 2007

Problems with CVI rules?

During last week’s Congressional hearing on the progress of CFATS implementation Clyde D. Miller; Director, Corporate Security, BASF Corporation, was generally supportive of DHS efforts to implement these new security regulations. One area that he expressed some concerns about was the rules that DHS had published about security of Chemical-Terrorism Vulnerability Information (CVI). On pages 2 and 3 of his testimony he said:

 

“…The manual requires company staff with access to CVI to go through web-based training and to sign a nondisclosure agreement (NDA) that is more restrictive even than the NDA that is required to have access to national security classified information.  Chain of custody record keeping is also required.  And all this applies even when people are only getting access to their own company’s information.”

 

The requirements that Mr. Miller refers to are found in paragraph 5.3 of the Procedural Manual Safeguarding Information Designated As Chemical-Terrorism Vulnerability Information (CVI). These requirements state that “Chemical facilities including their board members, employees and contractors, who require access to CVI will:

 

a. “Be aware of and comply with the safeguardingrequirements for CVI as outlined in the regulations, in this Manual and in any other guidance or direction issued by CSCD.

b. “Participate in DHS-approved training presented to communicate the requirements for safeguarding CVI.

c. “Be aware that divulging information without proper authority could result in civil penalty or administrative or disciplinary action.

d. “Enter into an appropriate NDA similar to that shown in Appendix B.

e. “Maintain a Tracking Log of the receipt and subsequent dissemination of CVI….

f. “Ensure that all information is marked appropriately.

g. “Complete any required background checks or other requirements for personal identification or trustworthiness that may be required by DHS.”

 

What Mr. Miller does not seem to realize is that failing to secure the information that underlies the physical security measures protecting the chemical facility undercuts those measures. If someone is able to gather information about the security measures at a chemical facility they will have a much easier time by passing those security measures. Restricting access to security program documents is the only way that the information in those documents can be adequately protected.

 

The document security program outlined in the CVI handbook relies on the same type measures that will be used to physically secure the facility;

 

1.      Restricted Access,

2.      Personnel Surety,

3.      Security Procedures, and

4.      Training.

 

Restricted Access:

 

Just as access to the facility needs to be restricted to those who need to be there, access to sensitive documents needs to be restricted to those with a need to know the information. While some parts of the security program will need wide dissemination within the organization to be effective, most of the documents listed in the CVI manual (Table 1) will only need to be seen by a limited number of people who actually work with the security program.

 

Those parts of the security program that will receive the widest exposure are those dealing with the interface between the facility and the public. Access procedures at the front gate will have to be available to anyone that will desire access to the plant; the requirement to show ID, sign in and be escorted while on site. While they will be part of the Site Security Plan (which is certainly CVI material) they can be sanitized to the point that posting this information on a sign at the gate will not compromise the plan. Designating which parts of the Site Security Plan that are not CVI should be delineated in the plan.

 

Personnel Surety:

 

The CFATS regulations already require that some sort of background checks will have to be performed on personnel with unaccompanied access to high-risk facilities. It is only reasonable that those background checks should be extended to people with access to CVI documents. The Chemical Security Compliance Division (CSCD) at DHS is already doing part of this background check when personnel complete the on-line training for CVI and submit their Non-Disclosure Agreement to DHS.

 

Security Procedures:

 

While the CVI handbook provides the general procedures for securing CVI information, the application of those procedures at the facility need to be adapted to the particular situation at the facility. The Site Security Plan should include provisions for document security procedures (para 6.2 of the CVI Handbook) that include: “Physical protection requirements (that) include:

 

1) Secure storage

2) Document marking

3) Application of a tracking number

4) Restricted access

5) Limited reproduction

6) Secure transmission

7) Enhanced automatic data processing system controls

8) Appropriate destruction.”

 

Training:

 

Training is always the first key to ensure that procedures are followed. The on-line training provided by DHS is a good first step for the general training that all personnel that will be handling CVI material must complete. It is, of course, a required step in receiving DHS certification as an “authorized user” of CVI (though not all personnel at the facility need to be certified as authorized users to be granted access to CVI). Further training in specific on-site procedures implementing the CVI rules should also be developed and provided to personnel routinely dealing with CVI documents.

 

Protecting sensitive documents pertaining to the security of the facility is a key part in protecting the facility against a successful terrorist attack. Implementing a workable CVI protection procedure should be part and parcel of the facility Site Security Plan.

No comments:

 
/* Use this with templates/template-twocol.html */