Wednesday, March 19, 2008

Minimum SVA Requirements under HR 5577

This is part of a continuing series taking a detailed look at the provisions of the new Chemical Facility Anti-terrorism Act of 2008 recently introduced in Congress (HR 5577IH). Today’s entry looks at the part of Section 2104 dealing with the minimum requirements for Security Vulnerability Assessments.


Previous blogs in this series include:


·        CFATA of 2008 Introduced as HR. 5577

·        Personnel Background Checks and HR 5577

·        Ranking of Chemical Facilities by HR 5577

·        General SVA and SSP Requirements under HR 5577


Facilities That Are Required to Perform SVA


Section 2103(b)(1) sets forth the requirements that must be met by the security vulnerability assessments conducted by any “covered chemical facility assigned to a high-risk tier”. There is no requirement for other covered chemical facilities to complete a vulnerability assessment under this section.


What is not clear in this legislation is how the four tiers of high-risk facilities under the current CFATS fit into the tier rankings described here. If the current high-risk facilities are kept in their current tiers and only one or two of the tiers are listed as high-risk tiers {Section 2102(c)(3)}, then many facilities will no longer be required to complete SVA’s. If the current four high-risk tiers are compressed into one or two high-risk tiers, then the new facilities added in the lower-risk tiers will not be required to complete SVA’s.


Definition: Chemical Facility Terrorist Incident


To fully understand the requirements for performing an SVA we need to look at the definition of the term ‘chemical facility terrorist incident’. Section 2101(3) defines this term as “an act or attempted act of terrorism committed at, near, or against a chemical facility, including:


·        “the release of a substance of concern from a chemical facility into the surrounding area as a consequence of an act of terrorism;”


·        “the obtaining of a substance of concern by any person for the purpose of using the substance at a location other than the chemical facility in furtherance of an act of terrorism; or”


·        “the sabotage of a chemical facility or a substance of concern at a chemical facility in furtherance of an act of terrorism.”


This definition specifically addresses all but two of the categories of chemicals listed as Chemicals of Interest in the final version of Appendix A to 6 CFR part 27. Those two missing categories are flammable release and explosive release chemicals. Those two categories are clearly included in the conventional idea of an attack on a chemical facility.


Vulnerability Assessment


The assessment must include the identification of “any hazard that could result from a chemical facilityterrorist incident” and an assessment of any hazard due to a threat specifically identified by the Secretary and communicated to the facility. It must also address any vulnerability related to:


·        “physical security;”


·        “programmable electronic devices, computers, computer or communications networks, Supervisory Control and Data Acquisition systems, Process Control Systems, or other automated systems used by the chemical facility;”


·        “alarms, cameras, and other protection systems;”


·        “communication systems;”


·        “insider threats; and”


·        “the structural integrity of equipment for storage, handling, and other purposes.”


This definition of a vulnerability assessment is very expansive. The repetitive use of phrases like ‘any hazard’ and ‘any vulnerability’ demonstrate the expansive nature of the definition. Combine that with the phrase ‘at, near, or against a chemical facility’, which expands the physical area that must be considered, and the SVA’s become much more complex than considered under the current CFATS regulations.


How much of a problem this expanded SVA will be will depend in a large measure on how DHS deals with the definition of the risk tiers. If the tiers remain effectively the same and the definition of high-risk narrows to only include the highest risk facilities from the current regime, then this definition will be less of a problem. The problems will increase greatly if the current high-risk definition remains and DHS expands the list of covered facilities. While the added lower-risk facilities will not have to complete SVA’s, all of the currently listed facilities will have to deal with the expanded definition.


What is less obvious is that this will also be a strain on DHS in either case. The current CSAT system is designed to allow DHS to administer the data collection and analysis process with minimum staffing levels. This means that a great deal of time and money has gone into the establishment of the computer software used to collect and analyze the SVA data submitted by the facilities. The extensive modification of that systemnecessary to accommodate the expanded definition of requirements for SVA will be expensive and time consuming.

No comments:

/* Use this with templates/template-twocol.html */