Monday, December 1, 2008

Comments on Draft RBPS Guidance – 11-28-08

Now that the comment period on the DHS Draft Risk Based Performance Standards Guidance document has come to an end (on 11-26-08) there are finally enough comments on file at the Regulations.gov comment site to comment on. As of Friday there were five comments posted, including a copy of my blog from 10-28-08 (see: “RBPS Guidance Shortcomings”). The other four commenters were: G4S Wackenhut Association of American Universities ISA99 Committee on Industrial Systems Security First Advantage Corp G4S Wackenhut Comments As a major supplier of security personnel to a wide variety of industries, including the chemical industry, Wackenhut suggests a number of ways that the discussion of security forces in the RBPS could be strengthened. They believe that a security forces are ‘essential to a physically secure perimeter’. They suggest that the RBPS include a ‘more robust training suggestions beyond what is provided in Table 13’. They believe that the RBPS should discuss the use of a joint security force by adjacent or closely located facilities. They would also like to see the RBPS note that security forces provide valuable roles in both security response and emergency response situations. Association of American Universities Comments The AAU et. al. provide comments for the relatively small number of educational institutions that are Tier 4 chemical facilities. They note that the draft RBPS provide no guidance on how they would affect the completion of an Alternative Security Program. First Advantage Corp Comments FA is a provider of ‘background screening solutions’. FA suggests that under RBPS #7 DHS should provide examples supporting the difference between ‘strict’ procedures for Tier 1 and the procedures required for Tier 2. FA would like to see the term ‘regularly’ defined for the requirement to ‘regularly’ audit their background check program in RBPS #12 Metric 12.4. FA wants DHS to caution facilities that they must still comply with laws regulating personally identifiable information and credit data. FA notes that DHS does not specify different levels of background check stringency for different tiered facilities. FA notes that TWIC regulations allow holders to have violent misdemeanors while RBPS #12 suggests that those would be excludable. FA would like clarification if they would be able to access the CSAT portal for purposes of personnel screening through the DHS TSBD since they provide ‘complete’ personnel screening services for CFATS covered facilities. ISA99 Committee on Industrial Systems Security Comments The ISA99 Committee is working to establish international standards on industrial automation and control systems security. They note a wide variety of detailed problems with the RBPS #8 Cyber guidance. More generally they do disagree with the lack of prescriptive requirements in most areas except the ‘timing for removing access’. They note that the organization of the section is unclear and the difference in coverage of various areas suggests different levels of concern. They are concerned about the lack of differentiation between IT and Control Systems. They note that three critical areas are missing that deal with the unique aspects of control systems:
“Need to carefully test before implementation on any production systems “Need to provide a warning about scanning and similar activities, which may shut down operations just like a virus update “Need to specify control system policies and procedures are needed.”
My Comments on Comments It is really disappointing to see so few comments on such an important document. Facilities are going to be using the final version of this document in just a few months. I was beginning to think that I was the only one that thought there were things missing or poorly covered. Hopefully there are more comments that are making there way through the mail system. I had hoped that the Wackenhut comments would have addressed some of the areas that were so poorly covered in the security forces discussion (see: “RBPS Guidance – Physical Security Measures”). The points they discussed ought to be addressed, but everyone is still ignoring the 900 lb gorilla, the questions of arming security forces. The ivory tower comments of the AAU completely miss the point of Alternate Security Plans, these are plans developed by agencies other than DHS. This means that DHS will provide little or no guidance on ASPs other than to approve or disapprove them. Most of the approved ASPs will already have been approved by the Center for Chemical Process Safety. The ISA99 comments about cyber security are probably the most valuable to date (to include my own). Both the general comments and the specific comments will provide DHS with a lot of information to work with.

No comments:

 
/* Use this with templates/template-twocol.html */