Draft SSP Review – Facility Security Measures

This is another in a continuing series of blogs describing the draft SSP Template that was provided by a reader of this blog, not DHS. Just a quick reminder, this means that there might be differences between this template and the one that DHS will shortly be opening on the CSAT web site. The previous blog in the series was: Draft SSP Review – General Facility Information Draft SSP Review – Facility Operations This posting will be a general overview of what will undoubted be the largest portion of the Site Security Plan, the Facility Security Measures section. This section looks at overall site security measures, not measures related solely to particular assets within the facility boundary. Those asset security measures will be addressed in a later portion of the draft SSP Template. Risk-Based Performance Measure List The first thing one sees when starting the Facility Security Measure section of the SSP is a list of the 18 Risk-Based Performance Standards (RBPS). The instructions on the template read: “For each of the following RBPS, you must click on the box and then answer Yes or No as to whether the facility has any security measures for that RBPS.” For each of the RBPS marked ‘Yes’ the SSP submitter will subsequently see an extensive series of questions concerning that RBPS in a sub-section related just to that RBPS. The subsections for those RBPS that are marked ‘No’ will not appear. I would expect that the vast majority of facilities that have approvable Site Security Plans will have security measures for each RBPS. The one RBPS that might checked ‘No’ by a limited number of facilities will be RBPS #8, Cyber Security. There are still a few facilities that have no computer systems to protect. Any facility that checks ‘No’ to any RBPS should expect that they will have to fully justify that selection to DHS before DHS even starts to consider approving the Site Security Plan. I would suggest that facilities would want to initially check ‘Yes’ to each RBPS and carefully review each section to see if there is even a single question that can be answered before deciding to come back and check ‘No’ to any RBPS. Existing, Planned, or Proposed Security Measures Each RBPS subsection will be headed by the same initial question; “Does the facility have any existing, planned, or proposed security measures for RBPS X? This is a good place to discuss the difference between these three categories of security measures. The distinctions are important to the SSP approval and inspection process. An ‘existing’ security measure is obviously currently in place and operating. If DHS were to show up today, the facility would be able to show measure to the inspector. A ‘planned’ security measure is one that is not yet installed or in place but has received formal management approval and is going to be installed by a scheduled date. A ‘proposed’ security measure is one that the facility is considering for installation, but the approval process has not yet been completed. Essay Question At the end of each RBPS sub-section there is one final question. This question does not have the common ‘Yes/No’ check-off that most questions get, or even the short, fill-in-the-blank for the inevitable ‘Other’ questions. The question is long, but so is the potential answer. That is why I call this the ‘Essay Question’. Here is the question:

“Does the facility have any proposed security measures for satisfying this RBPS that it wants to share with DHS? In the response to this question, the facility may share with DHS any existing or planned security measures the facility proposes to remove or eliminate to include a general timeline for such action. In the response to this question, the facility may also identify any existing or planned security measures which the facility has identified in this RBPS section, but which the facility does not wish DHS to include in evaluating its SSP for approval. Please see section 4.1.3 and 5.1.3 of the CSAT Site Security Plan Instructions for more detail.”

As I explained in an earlier blog, the purpose of this question is to give DHS an idea of what changes are currently planned for the Site Security Plan. If the current/planned security measures are determined to be inadequate, but there are proposed measures included here, it would allow DHS to tell the facility which of the proposed measures would enable DHS to approve the plan. Asking DHS not to include reported security measures in their evaluation will serve a similar purpose; if DHS approves the program without considering these measures, the company will be free to remove these measures without effect on their SSP status. If the facility has any existing security measures that it is considering taking out of service or removing, notifying DHS of this in this question would allow DHS to comment on how this removal would affect the continued approval of the Site Security Plan. Paired with proposed improvements, this would again give DHS a chance to ‘approve’ off-setting improvements. Once again, the approved Site Security Plan will become essentially a contract with DHS. It will provide the standard by which DHS inspectors will judge the adequacy of security arrangements at the facility.