Tuesday, April 14, 2009

Draft SSP Review – General Facility Information

As I noted in yesterday’s blog, I received this SSP template from a reader, not DHS. This being the case I am not absolutely sure that the template that I have is the one that DHS will actually use in the CSAT. To make sure that everyone remembers that distinction I am calling this a ‘Draft SSP Template’ or ‘draft submission template’. That makes this series of blogs a ‘Draft SSP Review’. Front Page Information The first page of the draft submission template provides the typical disclaimers, paperwork reduction statement, and the standard ‘true, complete, and correct to the best of my knowledge’ statements. There is, however, a description of the SSP process that bears reviewing en toto:
“The CSAT SSP tool collects information from covered facilities regarding existing and - if a covered facility so chooses - planned and proposed security measures. Facilities are required to list and/or describe existing security measures as part of their CSAT SSP submissions. However, this SSP tool will provide facilities the opportunity to propose that certain existing and/or planned security measures identified in this tool not be considered by DHS in evaluating their SSPs for approval. Of course, if a facility chooses not to provide information about an existing or planned measure that is relevant to satisfaction of one or more CFATS RBPS, it is possible that the facility’s SSP, as submitted, may not satisfy the applicable RBPS.”
Why would a facility not want a security measure considered as part of their SSP? Once a facility SSP is approved it becomes the facility’s security contract with DHS. It becomes the standard by which DHS inspectors will evaluate the adequacy of facility security measures. There could be security measures that a facility is experimenting with or evaluating that might not work out. If those measures were included in the SSP evaluation then the facility would have to get DHS approval to terminate those measures. Why would DHS want security measures reported but not considered in the SSP evaluation? If an SSP submission were deemed to be inadequate in one or more of the Risk-Based Performance Standard (RBPS), but would be adequate if the ‘reported but not considered’ performance measure had been considered, it would provide DHS with an easy suggestion for brining the SSP up to standard. The notification letter would then be able to point out the ‘quick’ way of correcting the SSP and the correction could take place with a quick SSP resubmission. Without the ‘reported but not considered’ measures DHS has no legal way to ‘suggest’ ways that the SSP can be brought into compliance without running afoul of the §550 restrictions. This could lead to multiple SSP resubmissions to get the facility into compliance. One last item of interest on the cover page; at the bottom of this page (and every page in the template) is the standard Chemical-Terrorism Vulnerability Information (CVI) warning. When this template is populated with information, it automatically becomes CVI and must be protected in accordance with the requirements of 6 CFR §26.400 and the CVI Procedures Manual. Facility Information The next several pages of the draft submission template deal with information about the facility. Most of this information should already be ‘populated’ when the facility signs into the SSP tool in CSAT. The information comes from previous (Registration, Top Screen and SVA) submissions. It still needs to be reviewed corrections made where necessary. There is one item of information that cannot be corrected without bringing DHS actively into the correction process. That is the ‘Facility Coordinates’ (latitude and longitude) section. Because so much of the DHS information and analysis of the facility security situation relies on this data, DHS does not want changes made to this without their direct involvement. If there is an error in this data, contact the Help Desk (866-323-2957). Notification Letter Information The next rather lengthy section (15 pages) covers verification of information provided in the Facility Final Notification Letter (FFNL). The FFNL is the letter that DHS sends out after reviewing the facility Security Vulnerability Assessment (SVA) and officially designates the facility as a High-Risk Chemical Facility (and thus covered under 6 CFR part 27), designates the Facility Tier Ranking (Tier 1 the highest and Tier 4 the lowest) and designates the Chemicals of Interest (COI) that the facility must ‘protect’ under its Site Security Plan. Again, this information should be pre-populated when the facility signs into CSAT. The information must be carefully reviewed and compared to the data in the FFNL. Do not rely on facility Top Screen or SVA data for this review; use the FFNL. Again, because this data is such an integral part of the CSAT process, changes can only be made by contacting the Help Desk.

No comments:

/* Use this with templates/template-twocol.html */