Wednesday, December 10, 2008

More Comments on Draft RBPS Guidance – 12-05-08

This blog looks at the remaining 8 comments that were filed as of last Friday on the Regulations.gov web site for the Draft Risk Based Performance Standards (RBPS) Guidance document that would be used by high-risk chemical facilities to guide them in developing their site security plan under the Chemical Facility Anti-Terrorism Standards (CFATS). The other 11 comments were discussed in yesterday’s blog. The comments that will be discussed today come from: National Paint and Coatings Association Compressed Gas Association Labor, Public Health, Environmental and Public Interest Groups IBM Industrial Safety Training Council National Petrochemical & Refiners Association Industrial Defender Inc American Gas Association National Paint and Coatings Association Comments The NPCA believes that DHS has developed a reasonable approach to a wide variety of high-risk chemical facilities, especially facilities so designated because they posses theft/diversion COI. The NPCA suggests that the metrics associated with RBPS #1 should explicitly note the acceptability of security restricted areas as opposed to the entire facility. The NPCA believes that many of the metrics need to include more references to measures that would be appropriate theft/diversion risk facilities. The NPCA questions how the requirements for 3rd party background verification can be implemented for less than truck load (LTL) truck drivers that typically deliver theft/diversion COI. Compressed Gas Association Comments The CGA notes that many facilities in their industry are small facilities with minimal staffing that will have extreme difficulties implementing many of the suggested security procedures. The CGA would like to see clarification to a number of specific metrics to address facilities that have only theft/diversion COI on site. The CGA suggests that the TWIC program be expanded for high-risk chemical facilities outside of port facilities. The CGA notes that many companies in its organization will have a corporate security officer who will effectively be the SSO for a number of small facilities. Labor, Public Health, Environmental and Public Interest Groups This coalition of a variety of labor, public health, environmental and public interest groups has been active in lobbying for expanding the current CFATS regulations. They suggest that the RBPS fails to address the use of inherently safer technology as a means to decrease the risk to high-risk chemical facilities. They also suggest that the personnel surety programs outlined in the RBPS inadequate protect worker rights. IBM Comments IBM briefly requests that the RBPS Guidance address how facilities can share Chemical Vulnerability Information (CVI) with local agencies in ‘the course of joint training exercises’ and still maintain the security of that information. Industrial Safety Training Council Comments The ISTC believes that the TWIC credentials are an inadequate screening tool for access to restricted areas of high-risk chemical facilities in that the background check provisions are less than adequate. The ISTC would like to see explicit language that requires that high-risk chemical facilities that are also covered under MTSA are required to comply with the personnel surety RBPS. The ISTC would also like to see the personnel surety RBPS recognize procedures by which a private-sector third-party may provide personnel surety programs for high-risk chemical facilities. National Petrochemical & Refiners Association Comments The NPRA notes the tight timeline DHS is working under to get this document to the affected facilities. The NPRA does note that there is much repetitive and overlapping information in the various RBPS. The NPRA is concerned that DHS inspectors could use the metrics in this guidance document as the de facto standard for measuring site security plan compliance. The NPRA notes that it appears that the guidance was written specifically for large, integrated chemical facilities and thus does not apply well to smaller facilities with limited resources. The NPRA questions the appropriateness of the number of instances where metrics are the same for multiple Tier levels. The NPRA requests that a number of terms used in the metrics be clarified or defined. The NPRA suggests that the Guidance has expanded the requirements for background checks beyond what is required in the regulations. They note that background checks and adjudication processes are normally handled at the corporate level not the facility level. Industrial Defender Inc Comments Industrial Defender provides alternative wording for a variety of areas under the Cyber Security RBPS. This wording provides more detailed guidance for areas such as access control, cyber security controls, network monitoring, incident response, and audits. American Gas Association Comments The AGA would like to see the RBPS explicitly state that security measures required by other Federal agencies would satisfy CFATS requirements. The AGA objects to the implied requirement in Metric 4.5 for a full-time armed security force. My Comments on Comments A number of commenters noted that, in general, the RBPS seem to be written with large chemical facilities in mind, not smaller facilities. I do agree that the wording of the metrics, in particular, does seem to be slanted in that direction. I am not sure how DHS can reword those metrics to address this issue without making the document unwieldy. Perhaps they can provide a section discussing how the metrics should be viewed by a variety of smaller facilities that still fall under the high-risk definition of CFATS. The comments made by the special interest (I do not mean this in a derogatory fashion, I just can’t find a simple method of identifying this group) coalition with respect to the lack of reference to IST are important. DHS does owe it to the public to at least address the possibility of risk reduction as a potential security measure in this document. Unfortunately, I think that the political discussion contained in the submission will over shadow the legitimate case for including IST language in the Guidance. It is interesting that the special interest coalition and the NPRA can provide comments about the same issue, worker protection in the personnel surety process, and come to such widely different views about the effectiveness of the RBPS requirements. The special interest coalition has long expressed concerns that employers could use the personnel process to get rid of troublesome workers and they do not believe that the Guidance provides enough protection in this regard. The NPRA feels, on the other hand, that the Guidance goes overboard in providing for protections. A good rule in politics is that if two sides disagree with a requirement for opposite reasons, then a decent compromise has been reached. The NPRA does bring up one legitimate point in their discussion of this issue. In many instances, personnel decisions (which personnel surety certainly is) are made at the corporate level, not the facility level. This is done for a variety of reasons, but generally does provide for a higher level of worker protection because of the likely removal of personalities from process. The RBPS needs to address the centralization of this process. A number of commenters make the point that their facilities are not manned on a continuous basis and use this as a justification for exemption from some of the security requirements listed in the Guidance. There needs to be a serious discussion of this issue. On one hand it is hard to imagine a high-risk chemical facility that can maintain adequate security without an on-site security presence 24-7. On the other hand it would be difficult for many of these smaller facilities to afford even the services of an unarmed guard when the facility is closed. This goes to the basic question of who bears the cost of security. Does the company that makes a profit from the use or sale of highly hazardous chemicals have an obligation to protect the community? Does society that requires the use of such chemicals to maintain its standard of living bear the burden of self-protection? I believe that the general cost of security is a cost of doing business, the same as personnel costs, and the same as safety or pollution control. There are certain security costs for these facilities, however, that might legitimately fall under the heading of providing for the common defense, something upon which we rely on the government. Emergency response, police, fire and emergency medical, certainly falls under this heading. Perhaps we need to add security forces to the “provide for the common defense” heading.

No comments:

 
/* Use this with templates/template-twocol.html */