Tuesday, October 28, 2008

RBPS Guidance Shortcomings

Having had a chance to review the entire Guidance document, I am afraid that I am going to have to take this opportunity to take DHS to task for the major shortcoming that I have found in this document rather than to do my normal detailed review of the provisions. I’ll get back to my normal review in my next blog entry on this document. As I noted in my first review post (see: “RBPS Guidance – Introduction”) prominent feature of the Guidance document is the DHS Disclaimer. This is probably necessary given the Congressional mandate that DHS may not require any specific security provision in the approval process of the high-risk chemical facility Site Security Plan (SSP). General Considerations This non-prescriptive nature of the Guidance document is further emphasized in the discussion of the General Considerations for Selecting Security Measures (page 15) section of the document. There DHS notes that:
“In fact, Congress has expressly prohibited DHS from disapproving a Site Security Plan based on the presence or absence of a particular security measure. Accordingly, the measures and activities listed in each chapter and in Appendix C are neither mandatory nor necessarily the “preferred solution.” Nor are they the complete list of potential activities from which a high-risk facility must choose to meet each RBPS. Rather, they are some example measures that a facility may choose to implement as part of its overall strategy to address the RBPSs. Facility owners/operators may consider other solutions based on the facility, its security risks, and its security program, so long as the suite of measures implemented achieve the targeted level of performance” (emphasis added).
Metrics that Do Not Measure Unfortunately, earlier in the How to Use This Guidance Document (page 13) section of the document, DHS makes this comment in the discussion of the metrics that are provided in the discussion of the individual RBPS:
“Note that the metrics included within the RBPS guidance document are for exemplary purposes only, and a facility need not necessarily meet any or all of the individual metrics to be in compliance with CFATS. Rather, the summary and individual metrics are meant to help a facility identify gaps in its own security posture and potentially mitigating activities by understanding the levels of performance that a compliant facility typically will be able to demonstrate. While a facility meeting all of the metrics is likely to be in compliance with the CFATS RBPS, the failure to meet any particular metric or summary level – or the substitution of alternative measures – does not automatically mean that a facility will not be in compliance with CFATS.”
While that sounds like it is in keeping with the Congressional restrictions provided in Section 550 of the Homeland Security Appropriations Act of 2007 (P.L. 109-295) one just has to look at the metrics provided in the Guidance document to see how unnecessary that waffling is. For example, here is the Tier 1 summary metric for RBPS #1, Restrict Area Perimeter:
“The facility has an extremely vigorous perimeter security and monitoring system that enables the facility to thwart most adversary penetrations and channel personnel and vehicles to access control points; including a perimeter intrusion detection and reporting system with multiple additive detection techniques that can demonstrate an extremely low probability that perimeter penetration would be undetected.”
There is clearly no requirement for specific security measures in that metric. Loop Hole Makes CFATS Unenforceable While the vast majority of the 7,000+ high-risk chemical facilities will use this Guidance document the way that it was intended, there will certainly be a significant number of facilities that will use the evasiveness of this document to deter DHS enforcement activities and delay implementing serious security measures. There will be much back-and-forth consultation until a harried DHS inspector is not careful in the wording used to ‘suggest’ an adequate security remedy. As soon as that is done the facilities lawyers will head to court to claim violation of Federal Law and Congressional Intent. And most of those claims will be upheld. In the event that DHS does levy sanctions on non-complying facilities there will be a bevy of lawyers available to argue that the vagueness of the standards makes them unenforceable. Claims will be made of inequitable enforcement and allowing too much leeway for inspector opinions. Correcting the Problem DHS needs to de-emphasize the repetitive disclaimers. The single disclaimer at the front of the document should be legally sufficient, especially since DHS uses standard type sizes and color-highlights the text box in which the disclaimer is printed. The needless repetition of the disclaimer language in the body of the Guidance document is unnecessary and should be removed. Finally, the disclaimer about the metrics found on page 13 is completely unnecessary and not required by the §550 language as long as the summary metrics do not specify security measures.

No comments:

/* Use this with templates/template-twocol.html */