Wednesday, January 9, 2008

Why facilities have to worry about CVI?

Last month, before the House Subcommittee on Transportation Security and Infrastructure Protection, Clyde D. Miller; Director, Corporate Security; BASF Corporation, questioned why CVI rules should apply to people at the facility involved “even when people are only getting access to their own company’s information.” This is a question that is being asked at many facilities around the country as companies begin to move deeper into the CFATS program.


Having worked as a Staff NCO in both intelligence and operations in various Army units I have a tendency to equate CVI with classified information that I dealt with during my years in the Army. The purpose of classifying information at the levels I was working at was to deny the enemy information that would increase their probability of conducting successful operations against our unit. That is the same reason for ‘classifying’ information as CVI, to deny the enemy (terrorists) information that would increase their probability of successfully attacking a chemical facility.


When a military unit prepares an operation plan one of the things that the intelligence section does is to prepare a list of Essential Elements of Friendly Information (EEFI). This is a listing of specific types of information that, if discovered by the enemy, could allow them to determine the commander’s plan of the operation. Understanding the plan, the enemy could develop their own plan for a counter operation. Extra efforts are made to conceal and protect EEFI.


If one were to look at Table 1 (pages 5 thru 7) of the CVI Procedure Manual, they would see that this is the EEFI for the plan to prevent a terrorist attack on the facility. Many of these documents include information that was derived from facility records. That does not make those records CVI; it is the act of bringing the data together into an easily understandable record that turns that raw information into CVI.


The Top Screen, for example, provides a comprehensive list of the chemicals that could make the facility a target. Facility chemical inventories are not CVI; they are full of extraneous, non-hazardous chemicals; described by abbreviations and trade names that are often incomprehensible to outsiders. A terrorist that obtained a complete copy of the facility chemical inventory might be able to piece together the information included in the Top Screen, but it would take an awful lot of work.


But why should the facility keep their copy of the Top Screen under lock and key, restricting access to only those people with a Need to Know (NTK)? Any document in a facility that is left lying around is susceptible to theft during a break in, pilfering by an unescorted visitor or to copying by an employee that has been bribed, blackmailed or recruited to the terrorists cause.


Why should personnel with authorized access be required to undergo CVI awareness training, and be required to sign a non-disclosure agreement (NDA)? Signing the NDA drives home the seriousness of the program while the training provides the information necessary to protect CVI. The training is designed to insure that the individual knows:


  1. What CVI documents are;
  2. How they are to be marked;
  3. How they are to be stored;
  4. To whom they can be shown; and
  5. How they can be transmitted.


The bulk of the CVI program is directed at government agencies to help protect the facility security information. It also is designed to protect commercial information that the facilities are required to share with the government. Almost everyone associated with protecting the facility will agree that this is important. It is, however, equally important to protect the same information held by the facility and its contractors.

No comments:

/* Use this with templates/template-twocol.html */