Friday, May 29, 2009

Public Comments TWIC Reader ANPRM – 05-22-09

It has been a busy week and I am just now getting around to looking at last week’s comments posted on the TWIC Reader ANPRM. I considered combining them with this week’s results, but I looked today at how many new comments had been filed and there were 10 pages of new comments. Oh well, this always happens at the end of the comment period. So this posting will look at the five comments submitted last week. Those comments were received from: Marine Spill Response Corporation Joy May Cowan Association of American Port Authorities Gunther Hoock John C Farmer Marine Spill Response Corporation MSRC maintains a fleet of Oil Spill Response Vessels (OSRV) and Oil Spill Response Barges (OSRB). They are concerned that their vessel falls between the definitions for Risk Groups and have received at least one Coast Guard opinion that their fleet would fall into Risk Group B. They object to that characterization and would prefer to see the status of these vessels clearly delineated in Group C. MRSC believes that the 14 crewmember limit for recurring unescorted access is too low and suggest that the number could reasonably be as high as 25. They also object to the RUA requirement for validating TWIC on a weekly/monthly basis using a hot sheet that is less than 24 hours old. They believe that annual and random checks by TSA are adequate checks. Joy May Cowan Comments Ms Cowan is the owner/operator of a paddlewheel boat that is rated to carry 800 passengers. With six employees she believes that it makes no sense for them to have to carry a TWIC reader on-board. She notes that the Coast Guard ‘regularly’ checks their cards. Association of American Port Authorities Comments AAPA believes that the 3 Risk Groups defined in the ANPRM are an inadequate way to evaluate the risk status of port facilities. They suggest that a risk based evaluation be made on an individual basis for each port facility. AAPA appreciates the removal of the requirement for facilities to always know who is on site. They believe that Hot Lists should be available in real time and distinguish between personnel on the list for security reasons and personnel that simply need to replace their cards. AAPA would like to see the Coast Guard to publish the TWIC Reader specs as soon as the pilot programs are completed rather than waiting until the final rule is published. This will allow facilities and vessels to start evaluating and buying Readers more quickly. Gunther Hoock Comments Gunther Hook, of the Horizon Lines, recommends that the limit for recurring unescorted access should be increased from 14 to 30, noting that it would “bring relief to a larger section of covered vessels and facilities as opposed to a limit of 14 while still preserving a controllable environment”. John C Farmer Comments Capt. Farmer notes that unless there is going to be a TWIC Reader at every entrance to every restricted area there is really no point in having TWIC Readers on a vessel. He makes the point that personal recognition is the most secure form of identification. He believes that a TWIC Reader should only be required where there is an expectation of personnel requiring access that would not be recognized by facility personnel or where a very large number of people would be entering and there would be no expectation that a guard would be able to recognize everyone. Capt Farmer makes a final point that he believes that pilot testing of TWIC Readers is premature; a proper test protocol can only be designed once a clear definition of the use has been made. This ANPRM makes clear that that has not yet happened. My Comments on Comments I’m sure that MSRC is not the only owner/operator of a vessel or facility that does not fit into some neatly defined category. Provisions need to be made in the final rule for some consistent method of evaluating non-standard situations and fitting them into one of the Risk Groups. I’m not sure that I would go as far as requiring every port facility to under go a unique risk evaluation, but DHS has established that such a process is possible in the establishment of their Tier levels for high-risk chemical facilities. DHS did have the advantange that much of the analysis process work had already been done under RAMCAP. Still, the Coast Guard might wish to look into the same type evaluation scheme. The continuing discussion of RUA is appropriate; the number of people allowed under the program could depend on a lot of factors. The length of time the crew works together is probably the most important. With crews that are thrown together for a short period of time the size that allows for rapid personal identification is much smaller. Crews that work together for years could be much larger and still allow for personal identification. One thing that I have not heard discussed is how to integrate a new crew member into an RUA crew, especially a larger crew.

Thursday, May 28, 2009

Opposition to IST Comes from Different Directions

The political wranglings over the re-authorization of CFATS are starting to go much further a field than just SOCMA or AWWA. I ran across articles yesterday on sites as disparate at (a libertarian page) and (a agricultural site). The libertarians are predictably upset about too much government interference in commercial affairs, while the AG guys are worried about the loss of their farm chemicals because of potential IST restrictions on feed stocks for those chemicals.

While I acknowledge that from their relative perspectives they have legitimate concerns about some of the potential elements of CFATS re-authorization legislation, I am concerned about the level of information upon which they are basing their concerns. Both of these articles contain information that is either incorrect, or so twisted as to be unrecognizable. For example, in Steve Dittmer’s article on he writes:
“Now, however, Congress is threatening to change horses in midstream. The law authorizing all these risk and security measures in the chemical industry, the 'Chemical Facility Anti-Terrorism Security Act,’ (CFATS) expires in September, 2009. But a new bill in Congress, expected to be a simple extension of the old authority, instead proposes to mandate the government to take a large measure of control over products and processes in the chemical industry, much like it has taken over leadership, compensation and control functions at some banks, insurance and auto companies.”
There are lots of details in that paragraph that are wrong; not lies, misinformation, or distortion; just mistakes in information. CFATS is the ‘Chemical Facility Anti-Terrorism Standards’ and has certainly never been an ‘Act’ or law. The current CFATS authorization expires toward the end of October, 2009. Now none of these errors make a hill of beans difference about the politics involved, but they do point to a poor understanding of some of the basic elements of the discussion. In the article the author quotes a letter from a ‘coalition of industry groups’:
“For example, last year’s 'Chemical Facility Anti-Terrorism Act' could have caused disruptions of new federal security standards and reduced jobs in the short term, and in the long term weakened infrastructure protection and economic stability.”
Unfortunately, there are no facts or explanations to back up any of these claims, so they only serve to inflame and polarize the discussion. It is hard to support claims that HR 5577 would have disrupted new federal security standards when the legislation implicitly re-affirmed the existing rules while adding additional requirements. The inherently safer technology (IST) provisions of that rule were fairly narrowly written and could have only affected a very small percentage of the facilities covered under the existing regulations. The facilities over which it would have had the most impact, water treatment facilities, were exempted from the most stringent penalties and were probably never going to be actually covered in any case.

There are certainly contentious issues involved in this discussion. There are good, valid arguments to be made on both sides of the issue. The only way that this is going to be resolved in a constructive manner is for both sides to sit down, talk to each other, and work out a program that legitimately addresses all of the issues. Inflammatory language, name calling, and misrepresenting the facts are just going to ensure that nothing gets done and legitimate chemical security issues remain unaddressed.

Reader Comments – 05-27-09 – Approved Training List

Yesterday our good friend Anonymous left a comment on the HR 2200 update blog. The comment was inspired by the requirement §306(b) for DHS to “identify criteria and establish a process for approving and maintaining a list of approved private thirdparty providers of security training with whom surface transportation entities may enter into contracts, as needed, for the purpose of satisfying security training requirements of the Department of Homeland Security”. Anonymous writes:
“I wonder what kind of a step forward DHS is taking in "be required to identify criteria and establish a process for approving and maintaining a list of approved private third-party providers of security training"...What I hope they do is take a long hard look at the maritime security training approval process, and avoid making the MTSA mistakes.”
I’m not sure what ‘MTSA mistakes’ Anon is talking about, but I have only been casually looking at MTSA regulations for a short time. I certainly haven’t been covering MTSA news in anything more than a cursory manner. If anyone can point me in the direction of these ‘MTSA mistakes’, I would certainly appreciate it so I can look into this for lessons learned before we get to that point for TSA. I am a firm believer that a smart person learns from their own mistakes, a truly wise person learns from the mistakes of others. To be clear though, DHS isn’t looking at this yet; Congress is. If the bill passes and these provisions remain intact, then TSA will eventually have to figure out how to make them work. This will involve the writing of regulations so there will be time for us to publicly comment on previous mistakes in that process. I hope that Anon will remember these concerns when it comes time to write comments on the ANPRM or NPRM.

CFATS Extension in Budget Request

A reader called me today to ask an interesting question. He had heard that the 2010 budget request included an extension of the CFATS authorization. He wanted to know if there was any truth to that rumor. I told him that I hadn’t looked at the actual budget request; readers will recall that I have analyzed the Budget in Brief, but I still hadn’t gotten around to pawing through the actual budget request. So, any way, I told him that I would look into it and get back to him. I got a copy of the 2010 DHS Budget Request from the web site and started paging through it. It’s a good thing that the high school I went to in San Jose, CA taught speed reading; I found what I was looking for on page 62 of a 62 page, small type (8 pt New Century Schoolbook-Roman type), lots to look at:
“SEC. 538. Section 550 of Pub. L. No. 109-295 is amended in subsection (b) by deleting from the last proviso ‘three years after the date of enactment of this Act’ and inserting in lieu thereof ‘October 4, 2010’.”
Without any fan-fare or notice the White House is proposing to extend the authorization for the CFATS program almost one year. A Fail-Safe Plan? Now, there is no way of actually telling from this document if this is anything more than a stop-gap measure, put in place to protect against the eventuality of the Congress not being able to pass a re-authorization bill. If that were the case, you would like to think that the President (more likely an advisor) would have explained this to the necessary leaders in Congress so that they would continue to try to work out an appropriate re-authorization bill. This could explain why Congressman Dent’s reauthorization bill (HR 2477) was not referred to the Homeland Security Committee. It would not actually be needed as a stop-gap measure, because the fall back plan was in the budget. From the best that I can tell my contacts in working in the CFATS program at DHS did not know about this provision being in the budget. They might have been told not to talk about this, but they have seem kind of concerned about the future of their program and the lack of public action in Congress on the reauthorization process. Some of them were actually relieved to see HR 2477 introduced; it would only have been a stop gap, but it would keep their jobs going. Or the Real Plan? Back at the end of April I wrote about the change in wording about chemical facility security on the web site. At about that time there were indications that the two Committee staffs were still having problems working out their jurisdictional issues on the reauthorization bill. Those delays may have made it essentially impossible for the House to hold hearings in the two committees, mark-up and resolve the resulting conflicting issues, and get a bill to the floor of the House in time to get the bill to the Senate before the August recess. This would make it unlikely that a re-authorization bill could be passed before the expiration of the current program. I have a feeling that the Obama Administration has made a series of political calculations and decided that it has more important things on its plate than resolving the many issues involved in revising the CFATS program. A great deal of political capital would have to be expended to get a major revision through the Senate and health care, energy policy, cap-and-trade, and the economy are much higher priority. They can almost certainly wait a year for this fight. Industry would prefer to see a two or three year extension, but will certainly accept a straight one-year, no-modification extension. The question becomes will the coalition calling for IST implementation accept that deal? They have been fighting hard for over two years now and have little to show for their efforts. Many of the organizations will see the energy policy and a cap-and-trade bill as an adequate short term trade.

Wednesday, May 27, 2009

DHS CSAT FAQ Update 05-22-09

Long time readers of this blog will remember that it used to be common place to see a weekly review of changes and updates that DHS made to their very extensive CSAT FAQ web page. Those blogs came to a screeching halt in the middle of last November, because DHS essentially stopped updating and reviewing their FAQ. Less than a hand full of updates had been made between the middle of November and the middle of last week. That dramatically changed last week when DHS added the FAQ for the new SSP page. Then last Friday an additional 174 FAQ were ‘Last Modified’ on May 22nd. There is no way that I would even attempt review or even list all of the affected FAQ. Even listing the categories would probably be too extensive an exercise since there were 23 FAQ categories affected. What I have had a chance to do is skim over the answers looking for some interesting anomalies, and I certainly have found some. A large number of the FAQ appear to be related to the Top Screen. While the Top Screen User’s Manual was updated, the update was relatively minor. That change certainly did not necessitate a systematic review of Top Screen FAQ. That leads me to believe that DHS is just catching up on their scheduled reviews that they had missed while working on other projects (like maybe the SSP set-up). I also think that the ‘Last Modified’ explanation of the date is probably misleading. I have found at least a couple of the FAQ answers that were pretty obviously not reviewed, much less ‘modified’. For example, the answer to question #1265 still explains that the: “SVA and SSP templates are not yet finalized”. That hasn’t been correct for the SVA since last summer and changed for the SSP last week. I have long said that the DHS FAQ page is one of the most extensive that I have ever seen. This has its good points as well as its draw backs. The biggest drawback is that the large size makes it difficult to ensure that the information is complete and up to date. A system that is in a relative state of flux like the CSAT site will be even more difficult to up date. I don’t envy the Help Desk team this job especially when there are nitpickers like me looking over their shoulder.

HR 2200 Update before Post-Memorial Day Vote

As I noted last week, it appears that the House will vote on the TSA Authorization Act, HR 2200, when it returns from its Memorial Day recess next week. This seems like a good time to review the reported version of the legislation and to discuss some of the amendments that the House Rules Committee has included in its resolution, HRes 474, authorizing early consideration of the bill. It is a rather large bill (98 pages), but only portions of the bill will affect the chemical security community. Surface Transportation Security Inspection Program Section 302 of the bill establishes the Surface Transportation Security Inspection Program and the Surface Transportation Security Inspection Office which would remove the Surface Transportation Security Inspectors from the supervision of aviation focused personnel. This would allow these surface inspectors to focus their assistance efforts on “surface transportation carriers, operators, owners, entities, and facilities to enhance their security against terrorist attacks and other security threats” §302(b)(2). It also directs DHS to hire 200 additional surface inspectors in 2010 and 100 more in 2011. Freight Rail Security Working Group Section 304 would establish a Freight Rail Security Working Group within a newly established Transit Security Advisory Committee. That working group would “provide recommendations for successful implementation of initiatives relating to freight rail security proposed by the Transportation Security Administration in accordance with statutory requirements, including relevant grant programs and security training provisions” §304(b). Surface Security Training The Secretary would be required under §306 to report to Congress within 30 days on the status of efforts to establish surface security training regulations under sections 1408, 1517, and 1534 of the Implementing Recommendations of the 9/11 Commission Act of 2007. Additionally the Department would be required to “identify criteria and establish a process for approving and maintaining a list of approved private third-party providers of security training with whom surface transportation entities may enter into contracts, as needed, for the purpose of satisfying security training requirements of the Department of Homeland Security” §306(b). SAFE Truckers Act of 2009 Section 432 establishes the requirement for truck drivers transporting ‘security sensitive materials’ to have a “valid transportation security card issued by the Secretary under section 70105 of title 46, United States Code” {§432(b)} known as a Transportation Workers Identification Credential (TWIC). The Secretary would have 120 days to issue final regulations defining ‘security sensitive materials’. Presumably the same regulations would implement the TWIC requirement. This legislation does not address whether or not shippers would be required to have a TWIC Reader to verify the identity of the driver that presents a TWIC. Individual drivers with current hazmat endorsements would not be required to undergo a new background check to get a TWIC. Section 435 would require DHS to begin issuing the TWIC not later than May 31st, 2010. The requirement for having a TWIC to transport security sensitive materials would go into effect within three years of passage of this bill. Section 436 would require DHS to establish a task force to “review the lists of crimes that disqualify individuals from transportation-related employment under current regulations of the Transportation Security Administration and assess whether such lists of crimes are accurate indicators of a terrorism security risk.”{§436(a)}. The task force would be made up of representatives of industry, labor, and select Federal agencies. Authorized Amendments House Resolution 474 has been approved by the House Rules Committee to provide for early consideration of HR 2200. As part of this resolution only 14 proposed amendments have been approved for inclusion in the early consideration process. Most of these amendments have nothing to do with chemical transportation issues. Even those that might end up affecting chemical transportation mainly deal with requiring various parts of the Executive Branch to conduct studies and report back to Congress. Topics of those studies include:
DHS IG to report on the “feasibility and merit of establishing a Deputy Assistant Secretary for Surface Transportation Security in the Transportation Security Administration” §312(b) of the Thompson Amendment; and Comptroller General to report on “the roles and responsibilities of the Department of Homeland Security and the Department of Transportation with respect to pipeline security” §406(a) of the Thompson Amendment.
The one substantive amendment that could affect chemical transportation security is the Castor Amendment. This amendment would add §403(r) to ‘Safe Trucker Act of 2009’ section of the bill to address the issue of redundant background checks required by state and local governments. It would require the Secretary to establish regulations to prohibit “a State or political subdivision thereof from requiring a separate security background check for any purpose for which a transportation security card is issued under this section”. It does provide the Secretary the discretion to waive this requirement if the State or local government can demonstrate “a compelling homeland security reason that a separate security background check is necessary”. Early Consideration of HR 2200 As noted earlier, HRes 474 provides for early consideration of HR 2200. This ‘early consideration’ carries with it some restrictions. There will only be ‘one hour’ of debate allowed on the floor of the House with each of the fourteen amendments getting ’10 minutes’ of that debate. I know, 10x14=140 not 60, but that is how Congress does its math. This limited debate and early consideration comes with a cost to the House leadership, the bill will require 2/3 vote for passage. If it fails on this vote (probably unlikely), it can be brought up again later in the session. At that time the debate would be longer, additional amendments could be offered, and (most importantly) only a simple majority would be required to pass the bill. I’ll be watching next week to see how this bill fairs. I expect that it will pass. The Thompson amendment will probably also pass. I would not be surprised to see the Castor amendment also pass. None of this is really controversial.

Tuesday, May 26, 2009

ACC Finally Gets It

Today Cal Dooley, head of the American Chemistry Council, and Randy Dearth, head of Lanxess, have an editorial in the Pittsburg Post-Gazette. They address the need for the reauthorization of the CFATS regulations. Interestingly no mention is made of their opposition to IST provisions or some of the other provisions that have been mentioned for inclusion by the two Congressional committees currently involved in the process. I think that it is about time that the ACC has taken their campaign for re-authorization to the public. To date there have been a number of editorials written by Cal Dooley, but all of the ones that I have seen have been addressed to industry or Congress. None of them have been in newspapers or magazines read by the general public. Targeting the public is certainly the aim organizations that are pushing for the inclusion of inherently safer technology requirements, language mandating union involvement, specific whistleblower protection and other provisions that might be considered anti-industry. They realize that we are going through a phase of the political cycle where public lobbying efforts are as important as lobbying by business and industry. I am also pleasantly pleased to see that this editorial has taken a positive track in pursuit of its campaign for CFATS re-authorization. Instead of attacking the IST or some of the more populist measures being proposed by activists, this editorial is a positive statement about what has been done to date and what the industry hopes to accomplish. If both sides were to approach this issue in a non-confrontational manner, it would make it easier for both sides to come together to reach a reasonable compromise that all could live with. This would ensure that any changes to the CFATS program would be workable and effective while imposing a reasonable and sustainable burden on the chemical industry.

RBPS Guidance – Getting Started

This is the second in a series of blog postings that will provide a close-up look at the RBPS Guidance document. DHS recently released this document to assist high-risk chemical facilities in meeting the risk-based performance standards required for site security plans under 6 CFR §27.230. The first blog in the series was the: Risk-Based Performance Standards Guidance Document In this blog we will be taking a look at some of the information provided in the Guidance document before it starts discussing the actual risk-based performance standards (RBPS). This general information will provide a logical basis for the discussion of the RBPS. Purpose The introduction to the Guidance document provides an overview of how the document is put together and describes how DHS intends for the high-risk chemical facility to use the document. The first thing that facility security personnel must understand is that the Guidance document is not going to tell them how to secure their facility. That is the whole point of establishing performance standards; there is no single security method that is going to be applicable across the wide range of facilities that fall under the label of ‘high-risk chemical facility’. The purpose of the RBPS Guidance document is summed up well on page 13;
“High-risk chemical facilities can use this document both to help them gain a sense of what types and combinations of security measures and processes are likely to satisfy a given RBPS for a facility at their tier level and to help them identify and select processes, measures, and activities that they may choose to implement to secure their facility.”
Organization The Guidance document is set-up essentially the same way as was the draft version. It is laid out into 18 chapters corresponding to each of the 18 RPBS. There are a couple of appendixes that provide additional information on specific topics including a more in depth discussion of some of the security measures that might be employed. Included in those discussions in Appendix C are lists of references that facilities can use to learn more about the technical details involved in developing their site security plan. Each RBPS discussion is arranged in much the same manner. There are three common sections; an ‘Introductory Overview’, one covering ‘Security Measures and Considerations’, and the ‘RBPS Metrics’. Many of the sections have a table that explains what attack scenarios from the SVA are addressed by that Standard. What RBPS Apply? The CFATS regulations require that each high-risk facility must “must satisfy the performance standards” outlined in §27.230. This means that all eighteen of the RBPS must be addressed in the site security plan. The Guidance document notes that each facility will be notified which security issues and COI must be addressed in their site security plan. These security issues and COI will determine the relative emphasis that will be placed on each RBPS. Additionally the Guidance notes that: “Different security measures or activities may be more or less effective depending on the specific security issues.” There is a detailed discussion on pages 17 thru 20 on how the security issue may affect the security measures selected to secure the facility. Any facility developing a site security plan would do well to read and understand that discussion. Not only is it good advice, but it is the best summation of what DHS will be looking for in approving site security plans. Facilities with more than one security issue will find that their security situation will be very complex, but understanding the reasoning that DHS applies to the individual issues will make planning a little easier. Inherently Safer Technology DHS has not addressed the issue of the use of inherently safer technology (IST) in the RBPS Guidance document. A coalition of labor, environmental and other activist groups suggested in their response to the Draft Guidance document that DHS include a discussion of IST in the Guidance. DHS replied in their recently published response to comments that:
“While facilities may voluntarily choose to consider IST solutions as part of their overall security approach, the examination or implementation of IST is not required under CFATS to satisfy the RBPSs and thus is not addressed in the Guidance. No change to the Guidance based on this comment is warranted.”
Strictly speaking, IST is not a security measure. It generally falls into the category of risk elimination, risk reduction or risk mitigation measures. The first two categories are better addressed in the Top Screen portion of the CFATS process. If a facility either eliminates or substantially reduces the amount of a COI on site, both well established forms of IST, they need to re-submit the Top Screen as this may change their status as a high-risk facility by removing them from the list entirely or lowering their Tier level ranking. There actually is an IST provision mentioned in the Draft RBPS Guidance Comment document. On page 7 in response to questions about the ‘interdiction requirement’ DHS made the following comment:
“While an armed security force is one potential way of accomplishing this [delay] (and something high-risk chemical facilities may wish to consider), there are many other options for achieving this result (e.g., establishing capabilities to detect an attack early enough and delay it long enough so that local law enforcement can intervene; implementing process controls or systems that rapidly render a target non-hazardous even if an attack successfully breaches containment [emphasis added]).”
While this will not be a commonly available option, the rapid conversion of a COI to a non-hazardous chemical or form would certainly fall under the heading of IST. Other risk mitigation measures that provide for automatic post-release neutralization while not strictly IST also should be considered in the development of the site security plan. Facilities that have release COI as their principal security issue need to take a hard look at the whole range of IST possibilities. Looking at the RBPS it will quickly become clear that any security plan for a release COI high-risk facility will quickly become expensive. The easiest way to reduce those potential costs may be to reduce the risk associated with the chemical used on site by using any one of a number of well established inherently safer engineering alternatives.

Monday, May 25, 2009

Reader Comment – 5-21-09 Houston Meeting Feedback

Thursday evening Meisterschutzen, a much more interesting nom de guerre than Anonymous (I know, please forgive me but I couldn’t skip a two language pun), left a reply to my request for information on the Roberts Law Group’s previous Regulatory Briefing in Houston. He noted that he thought that the seminar was ‘most worthwhile, writing: “Steve Roberts [sic] programs offer a fast paced, concise, and on-target overview of latest federal regulatory landscape relevant to the chemical and petro-chem industry. The programs are widely well received with participants asking for more. Steve and his guest speakers point participant in the right direction to learn more about the regulatory programs important to them.” Thanks for the input. Maybe we can get together and share a Jagermeister.

Friday, May 22, 2009

HR 2477 Text

As of 4:00 EDT today the GPO and still do not have a copy of HR 2477 available to the public. Fortunately a reader had some pull in DC and got me a copy of the bill. It is extremely short, two pages, two sections. I still don’t understand why GPO hasn’t gotten this printed when they have had a number of other lengthier documents out today, much less yesterday or the day before. Oh well, maybe they know it isn’t going any where. In any case, here is the summary Section 1 – Short title: “Chemical Facility Security Authorization Act of 2009” Section 2 – “SEC. 2. EXTENSION OF AUTHORITY OF SECRETARY OF HOMELAND SECURITY TO REGULATE THE SECURITY OF CHEMICAL FACILITIES. Section 550(b) of the Department of Homeland Security Appropriations Act, 2007 (Public Law 109-295; 6 U.S.C. 121 note) is amended by striking ‘‘three years after the date of enactment of this Act’’ and inserting ‘‘on October 1, 2012’’. I wish all laws were this easy to read. Well, maybe I don’t; why would anyone read my blog explanations of legislation?

Too Many Mistakes Today

I guess it just happens when you try to do too many things at the same time; you just make stupid mistakes. I was in too much of a hurry this morning to get to a meeting and in too much of a hurry at lunch to check things properly. Mea Culpa. Congress has adjourned until June 2nd (Tuesday Week) for their Memorial Day Recess not Monday afternoon as was printed in Thursday’s Congressional Record Daily Digest. The Daily Digest does not report what is on the legislative calendar for the House on June 2nd, but HRes 474 has been reported and will probably be considered. That would mean that HR 2200, the TSA Authorization Bill would be under consideration. As of this afternoon the Rules Committee Report is available for HRes 474 (House Report 111-127). Next week, plenty of time before June 2nd, I’ll take a look at the reported version of HR 2200 and the proposed amendments in a blog where I won’t be in a hurry. Again, pardon me for looking stupid, but it has been a crazy hurried day.

HR 2200 on Fast Track – 05-22-09

I love to be able to say “I told you so”. I said that HR 2200, the TSA Authorization bill, was on a fast track for passage in the House and even I underestimated how fast. Yesterday the House Rules Committee held an ‘Emergency Hearing’ on HR 2200 and reported H.Res. 474 as a rule to expedite a hearing before the House. The full House of Representatives is scheduled to debate the bill today for one hour. A vote may be allowed to take place this afternoon or early evening depending on how long Speaker Pelosi intends to keep the House in session before it short Memorial Day Recess. I have been partially on vacation this week so I missed the publication of the Homeland Security Committee Report (Report 111-123) and the printing of the latest version of the bill, that reported by the Committee (HR 2200RH). Both are available on the GPO web site or at Unfortunately, when the House Rules Committee does one of these resolutions to allow for early consideration of a bill, their report is not published or publicly available until after the debate is over. This is unfortunate since this is the only place that one would be able to find copies of the amendments that will be allowed to be discussed and/or considered in today’s debate. The only good thing is that bills considered under these rules typically require a 2/3 majority to pass. If they don’t achieve that on the day of early consideration they can be brought back up again in the course of regular consideration where they will only require a majority vote to pass. I expect that if it comes to a vote, it will pass. Sometime next week we will be able to look at what the House passes today (in all likelihood) in some detail before it is considered by the Senate. Given the interest in the Senate Homeland Security Committee to get a DHS authorization bill done this year, I would not be surprised to see this get swift consideration in that body as well. OOPS. Update a 10:25 The House is not meeting today, it recessed for the long weekend last night. That means that this bill will be considered early next week. The House is actually schedule to reconvene on Monday evening, but will probably not get to work until Tuesday.

SSP Submission – Facility Data

This is the second in a series of blog posting on the recently released Site Security Plan Instructions Manual. The first blog in this series was: Preparing for SSP Submission Regular readers of this blog will remember that I did a series of blogs earlier this year on ‘draft’ copy of the site security plan template that I had received. As part of the this series I will refer back to those blogs to correct any potentially confusing or misleading information that I provided. Today I will start with the General Facility and Facility Operations portions of the SSP and I will point out any differences between my earlier blogs and the actual instructions. General Facility Information As I noted in my earlier blog, most of this information will be pre-populated in the SSP Tool from information provided in the Top Screen and SVA submissions. The facility needs to review all of the pre-populated data to ensure that it is correct and complete. If an item of information is missing, enter the data. If the information (other than latitude and longitude) is incorrect, press the “Update Facility Information” button and correct the data. Latitude and Longitude information can only be corrected by contacting the DHS CSAT Help Desk. Earlier I described the Facility Final Notification Letter (FFNL) information that is included in this section. The Facility is responsible to ensure that the information in that letter is properly reflected in this section of the SSP. If any information from the FFNL is missing or incorrect in this section, the Facility must contact the Help Desk before proceeding with entering any further data in the SSP tool. This section also asks about the COI found at the facility. There will be a question for each of the seven security/vulnerability combinations asking if there are issues related to COI in that category. The Facility should answer yes if there are any COI listed in that security/vulnerability category listed in the FFNL. Additionally, the facility can answer yes if there are COI not included in the FFNL that they want DHS to consider in their SSP submission. See my earlier blog for an explanation why a facility might want to do this. For each positive answer in this section a list of COI from that category will appear with ‘Yes’/‘No’ check boxes to allow the facility to select the covered COI. The COI listed in the FFNL should already be selected ‘Yes’ as part of the pre-populated data. Once each of the selected security/vulnerability combinations is marked as completed a summary page of the identified security/vulnerability combinations and selected COI will appear for the Facility to review. Facility Operations In my blog on the Facility Operations section of the SSP I noted that there would be pull down menus with a variety of selections to pull from, but the Draft Template that I had did not provide the list of potential answers. It appears that the assumptions that I made in that discussion are born out by the SSP Questions manual (pgs 25-7) descriptions of the answers available. For example the SSP Questions provides the following responses to the question about facility type:
“Agricultural Chemicals Distribution, Agricultural Chemicals Manufacturing, Agricultural Products Processing, Chemical Distribution, Chemical Manufacturing, College/University, Food Distribution, Food Processing, Health Care, Mineral Extraction/Processing, Natural Gas Storage/Transfer, Petroleum Products Distribution, Petroleum Refining, Pharmaceutical Manufacturing, Power Generation, Propane Distribution, Research, Waste Management, Other”
The discussion in the earlier blog about the on- and off-site emergency response capability appears to have addressed that section pretty well. I have found an interesting error in the SSP Instructions in this area. Section 3.4.3 is inaccurately titled. The printed title is “Emergency Management Team [emphasis added] (EMT) Information”; the discussion makes it clear that it should refer to “Emergency Medical Technicians”. While I did note in the earlier blog that this section of the SSP Tool allows the facility to upload an Alternative Security Program (not ‘plan’ like I called it in that blog) I failed to note that there were five questions that the facility had to answer about the ASP before it can be uploaded. An affirmative answer to each of these five questions will automatically transfer the facility to the APS Upload Page. A negative response to any of the questions will require a facility to answer yes to the following question before being given access to that upload page:
“The ASP does not address all pertinent factors in 6 CFR 27. Do you wish to continue to upload an ASP in lieu of the CSAT SSP?”
The reason for this question is that if an ASP does not adequately address the requirements of 6 CFR §27.235 there is very little chance that the SSP will be approved. As I noted in my earlier blog, with the history of problems that facilities had with getting an ASP approved for Tier 4 Security Vulnerability Assessments, I would bet that very few, if any, ASP’s will be approved on the first submission. If a facility selects to upload an ASP in lieu of the SSP, then that facility will be done with their initial submission through the SSP tool one that upload is complete.

Thursday, May 21, 2009

New Top Screen User’s Manual

On Monday DHS posted a new CSAT Top Screen User’s Manual to their Chemical Security Web site. As I noted in my Tuesday blog, the Change Log in the new manual provides a brief listing of the changes and none of those changes seem to be major. Today I’ll look at the changes in some detail. Revised Set of CVI Authorizing Statements Before a new facility is allowed to complete a Top Screen the user will be required to read and acknowledge the contents of the “CVI Authorizing Statements” screen. This screen provides an abbreviated explanation of the CVI rules; those rules necessary to protect the Top Screen submission documents. This is done because the vast majority of facilities that complete a Top Screen will be found not to be a high-risk facility and will have no other contact with CSAT. DHS has determined that for the time being there is no need to require full CVI training just to complete the Top Screen. Once the facility is preliminarily identified as a high-risk facility, all CSAT users from that facility will have to complete CVI training before they are allowed access to the SVA tool. The new Top Screen User’s Manual adds the following paragraph to the section explaining this requirement:
“Acceptance of the CVI Authorizing Statements makes the individual a CVI Authorized User, with their access limited to the Top Screen. The individual’s access is limited to CVI created by the preparation and submission of the CSAT Top-Screen. The individual will not be issued a CVI Authorized User Number.”
The important part here is the phrase “a CVI Authorized User, with their access limited to the Top Screen”. This brings the instructions in line with the new CVI manual issued last October. There is an additional paragraph explaining the requirement to complete CVI training before work can begin in the next CSAT tool if the facility remains in the CFATS process. Additionally, the screen-shot of the “CVI Authorizing Statements” screen has been updated to reflect the current screen. New Buttons on Choose Facility Screen The next page that a new facility will see after accepting the ‘CVI Authorizing Statements’ is the “Choose Facility” screen. There are two buttons on that screen that need explanation One of those is the “Update Facility Info” button. The new manual adds a brief description of the purpose of that button in para 1.1.1 and refers the user to the “Update Facility Information section” (2.1.1) later in the manual for further information. The second button is the “Manage User Roles” button which allows an authorizer, submitter or preparer “to add or delete reviewers for the Top Screen Survey”. A new para 1.1.2 provides brief instructions for completing the addition of a Reviewer. It also warns users not to put an authorizer, submitter, or preparer into a Reviewer status because this will remove their rights to enter or change data in CSAT. Save Button Explanation A change has been made to the navigation buttons on each page of the Top Screen. The old controls consisted of “Back” and “Next” buttons to allow the user to change screens. Pushing either button saved the information that had been entered into that page before the new page was displayed. DHS has added a “Save” button between those two buttons. This will allow the user to save the data entered on that page without changing the page that is displayed. This would be important if you were nearing the 20-minute “time-out” limit and wanted to ensure that you saved the data that had been entered on that page.

Wednesday, May 20, 2009

HR 2477 to Extend CFATS Authorization

Yesterday three Republican members of the House Homeland Security Committee introduced HR 2477 to “provide for an extension of the authority of the Secretary of Homeland Security to regulate the security of chemical facilities”. This is the first CFATS re-authorization bill to be introduced in the 111th Congress. Interestingly the bill was referred to the House Committee on Energy and Commerce, but not the Homeland Security Committee. It is possible that that will change in the next couple of days. The text of the bill is not yet available from the GPO. As soon as it becomes available, you can be sure that I will review the language and specific provisions. The author of the bill is Charles W. Dent (R, PA). The two initial co-sponsors are Daniel E. Lungren (R, CA) and Mark E. Souder (R, IN).

DHS Chemical Security Web Site 05-18-09

Yesterday I reported on DHS posting a new version of the Top Screen User’s Manual. As part of that they changed a few of the pages in the DHS Chemical Security web site. Actually it was noticing these changes that led me to the new User’s Manual. The pages that were changed were the: Critical Infrastructure: Chemical Security Chemical Security Assessment Tool CSAT Top-Screen The only change to the Chemical Security page was the link for the CSAT page. The CSAT page also had a link change, the one to the Top Screen page. There were also two changes in the Key Documents box on the right side of the CSAT page. They updated the listing and link for the Top-Screen User’s Manual. They also added a date (May, 2009) to the listing for the RBPS Guidance document. This brings that listing in line with the other document listings in that box. Now readers can verify that they have the most up-to-date document at a glance. The only change to the Top-Screen page is the link to the User’s Manual. This was a new page as of last Friday. It might have been easier for DHS to update the Top-Screen User’s Manual at that time, but even I might have missed the change in the excitement of the release of the RBPS Guidance and opening of the SSP page. It might seem a little bit much to write about minor changes to a web site like this. I have done a little (very little) web site work and know how much work goes into even a relatively minor change. On a site like the DHS Chemical Security web site with its interlinked pages, making sure that all of the page links are working properly is something that is frequently overlooked. The team at DHS that maintains this page needs a little public recognition for their good work from time-to-time. I’m happy to oblige.

Freight Rail Rule Correction Published

Today the TSA published a correction to the Freight Rail Security Rule published last year. Most of the changes were correcting minor reference errors within the regulation. The only substantive change was a change to the telephone number for reporting security concerns {§ 1580.203(b)}. The new TSA Freedom Center number is 1-866-615-5150.

CSX SecureNow

Yesterday I was invited to join a Blogger Conference Call with CSX. They wanted a chance to show-off their new SecureNow system; their comprehensive method of tracking freight and passenger rail cars on the CSX rail system. From what we were shown they have good reason to be proud of their system. RSSM Monitoring What started as an asset management system has been modified to produce a security monitoring system that allows them to track a large number of potential targets as they move across the CSX system. What will be of the most interest to readers of this blog is the extensive capability to track railcars carrying Rail Sensitive Security Material (RSSM). Not only can they track individual RSSM railcars, but the supporting data base can instantly provide detailed information on the shipment, the RSSM hazard, and details on the rail car construction and layout. They are even working with some RSSM shippers to evaluate the use of a variety of car status sensors as an additional data source. The system is technically impressive, but it does appear to be a logical outgrowth of an asset management system. If the system were limited to just CSX use, that is all that the system would ever be; an extensive, technically-advanced asset management system. What is more impressive to me is the political acumen that led CSX to share the use of the system with private, State and Federal emergency response and security officials. Sharing Information CSX has provided CHEMTREC® with a system terminal and access to the CSX system. CHEMTREC is a private organization established by the American Chemistry Council to provide a single centralized clearing house for chemical safety information for first responders. The CHEMTREC 1-800 number is the go-to source for first responders to go to get the up-to-date information necessary to safely respond to an accident involving hazardous chemicals. I would not be surprised to find that their phone number was the single most common phone number on an emergency responder’s speed dial list. With the SecureNow terminal in operation at CHEMTREC the first responders to a freight rail accident can contact a well known phone number and quickly determine if that CSX train is carrying hazmat, what hazmat material is in which car in the train, how much is in each car, as well as the safety information associated with those materials. It truly makes CHEMTREC a one stop shop for first responders looking for hazmat response information. CSX provides state homeland security personnel with direct access to the SecureNow information through the CSX Public Safety Coordination Center. Dedicated lines from designated State Fusion Centers ensure that security planners and emergency response coordinators have uninterrupted access to CSX information. CSX is also in the process of putting SecureNow terminals in Fusion Centers covering states where CSX provides service. Because of the legal negotiations and training requirements CSX currently only has terminals in Indiana, New York, New Jersey, Kentucky, Maryland and Ohio. Additionally, CSX has installed a terminal in the TSA Freedom Center. The information directly available to TSA from that terminal is certainly in excess of the requirements for reporting the location of RSSM railcars that were included in the latest freight rail car security regulations. Time for Questions At the end of the CSX presentation we were provided some time to ask some general security related questions. I took the opportunity to ask about the implementation of the Freight Rail Security Rules. Readers might recall that I have written two postings on the CSX plans for implementation back in January. In the first I addressed a letter CSX was sending to its customers about implementation plans. In the second I looked at a reply I received from CSX about the first blog. In those blogs I looked at CSX concerns expressed that the attended carrier-to-carrier handoff rules might cause them to change some RSSM routes to avoid using some short line and regional carriers that could not provide attended exchanges. In the second blog I noted that “CSX is certainly not trying to specifically route through urban areas, but they will use this rule to avoid lowering their profits by re-routing around urban areas through use of some other carrier.” I specifically asked Skip Elliott about how many routing changes had been made due to the attended hand-off rules. He told us that CSX had been able to coordinate hand-offs with all of the affected short line and regional carriers. He noted that some exchange locations had been changed, there had been no route changes because of these freight rail rules. It was too early in the implementation of the RSSM routing rules to ask effective questions about that implementations, especially since the only thing being done to date is data gathering. CSX did make a commitment to future blogger calls, so perhaps I’ll get a chance to ask questions on those issues in the future.

Tuesday, May 19, 2009

Public Comments TWIC Reader ANPRM – 05-15-09

There were two comments posted this week on the Coast Guard’s TWIC Reader ANPRM. Additionally, the Coast Guard posted a copy of the slides that were used in the public meeting held on May 6th. The comments were received from: MC Morris Tovah LaDier MC Morris Comments Sometimes I begin to wonder who is doing the listing of comments at Typically they list organization comments submitted on organization letterhead by the organization name. Otherwise they use the name of the person signing the letter. This letter was signed by MC Morris “By Direction”. The letterhead was from “Commander, Military Sealift Command”. The “By Direction” makes this an official submission by that command. The MSC comment notes that it is not clear whether or not the rules apply to “public vessels and shore activities maintained by the Department of Defense”. They would like to see it explicitly stated that the TWIC Reader rule does not apply to DOD facilities and vessels. Tovah LaDier Comments Again I have an issue with the misleading listing of this comment on The document is a copy of the prepared testimony (apparently from the May 6th public meeting) of Megan Gajewski “on behalf of Tovah LaDier” the managing director of the International Biometric Industry Association. It should probably have been listed as IBIA comments. The IBIA notes that:
There are already TWIC Readers commercially available; Vessels and facilities should be allowed to use commercially available TWIC Readers while TSA is ‘evaluating’ TWIC Readers; and The IBIA disagrees with allowing Risk Group B vessels and facilities to only biometrically verify identity ‘randomly once per month’ under MARSEC 1 conditions
My Comments on Comments It should go without saying that the TWIC rules do not apply to military vessels. It is not clear that all of the vessels in being addressed in the MSC letter strictly fall under that description. As long as the MSC vessels are operating out of Navy ports, there not having TWICs will not be a problem. However, I believe that these vessels frequently operate out of civilian ports. For non-military crews to not have TWIC or an operationally equivalent ID could cause some problems in that situation. This certainly needs to be addressed in the NPRM. The IBIA comments about the current availability of TWIC readers are a tad bit self-serving. They note that there are at least 17 models that have successfully undergone TSA ‘laboratory testing’, so they could be voluntarily used by MTSA covered facilities while TSA completes their more extensive ‘functional and environmental’ testing. While I agree that such voluntary interim use could provide valuable information for TSA rule development efforts, I am not sure why the IBIA is making that comment here. TSA is unlikely to ‘officially’ approve voluntary interim use, but it certainly has not prohibited that use. Individual Captains of the Port may currently authorize that interim use as part of facility or vessel security plan approval process. The purpose of the environmental and operational testing being conducted by TSA is to ensure that TWIC readers will reliably work in the sometimes challenging environment associated with port facilities and ships. TSA does not want to require the use of equipment that cannot survive for a reasonable period of time in that environment. Justifiably, IBIA member companies would like to recoup their investments in TWIC Reader developments sooner rather than later. Selling them before they are approved or required could be a challenge for the best sales person, but TSA is not going to ‘authorize’ interim use to aid sales. One minor comment on the Coast Guard meeting slides. Whoever put this .PDF document together oriented the slides so that they show up in the .PDF Reader software rotated 90 degrees out of standard. This means that you have to play with the size controls and turn your head sideways to be able to read the slides. This is the first time that I have seen PowerPoint® slides displayed this way in a .PDF file. It is certainly not user friendly. Not only was this poor attention to detail on the part of the preparer, but who ever approved this document for release needs to be hung from the modern equivalent of the yard arm.

EPA vs Security

It has come to my attention that there have been questions about some disparaging comments I made about the Environmental Protection Agency in one of yesterday’s blogs. In discussing upcoming chemical security legislation where EPA will become responsible for chemical security at water treatment facilities I made the comment that this would “continue the non-existent EPA interest in security at water treatment facilities”.

I hope that there was no ambiguity about my disdain for the EPA’s attention to security issues. Of course their role in the government is not primarily to deal with security matters, it is to deal with environmental issues. But, everyone in today’s government should have some basic respect for security matters; everyone it seems except EPA.

Last week I ran across a very interesting article on (out of Salt Lake City, UT) about an abandoned chemical facility that the EPA has taken responsibility for. The Cook Slurry Company was a well known local manufacturer of liquid explosives for the mining industry. It specialized in explosive slurries of ammonium nitrate and fuel oil. The EPA became involved when it became known that the abandoned facility still contained hazardous chemicals including ammonium nitrate and fuel oil in separate tanks.

According to the article the EPA has yet to confirm the contents of a 20,000 gal tank that appears to contain one of the explosive slurries. While the particular chemicals may be more distressing than normal in this case, it is not unusual for EPA to become responsible for the supervision of the clean-up of such a facility. They would typically come in and inspect the facility to ensure that there are no actual or impending leaks that would endanger the local environment. They then would sit on the facility while they tried to track down responsible parties to pay for the clean-up. Again, lacking an imminent danger to the environment, the clean-up might not start for years while the legal requirements were worked out.

What distresses me in this case is not the delay in tracking down the responsible parties, but rather the description of the security measures put into place to protect what is potentially the most desirable terrorist weapon short of an active nuclear weapon. It is weaponized ammonium nitrate in a pumpable form waiting to be loaded into any convenient form of transportation. This is a massive vehicle borne improvised explosive device (VBIED) or two waiting to be loaded. This would be a weapon capable of taking out a city block.

If there were ever a chemical facility that was a potential terrorist theft target, this is the place. The article describes the security measures this way: “The EPA has taken keys to the property, double-locked gates, posted caution signs and is warning neighbors who live as close as half a mile from the plant.”

Yes, those are security precautions to be proud of. I don’t suggest that any high-risk chemical facility try to base their site security plan on such complex procedures. Yes, Chairman Waxman and his committee staff should rest assured that this is the agency that they intend to allow to continue to supervise the security at high-risk water treatment facilities; the treatment facilities that make up the bulk of the chemical facilities on the CAP Chemical Security 101 list. After all, jurisdictional issues are much more important than security.

DHS Updates Top Screen User's Manual

As is usual for DHS there was no fanfare or announcement, but they posted an updated version (2.8) of the CSAT Top Screen User’s Manual on their Chemical Security Web page yesterday afternoon. I have not yet had a chance to review this in any depth, but they do provide a “Change Log” page for their manual (a practice that other government agencies should adopt). That shows that the following changes were made to the manual:
“Version 2.7.a -> Version 2.8 “Updated version number and date “Updated section 1.1 (text and images) to reflect a revised set of CVI Authorizing Statements each CSAT User must agree to prior to accessing the Top Screen. This update aligns the CSAT Top Screen with the revised CVI Manual issued in October 2008. “Updated section 1.1.2 and section 2.1.1 with the new Update Facility Info features “Updated section 1.1.2 to include the new Manage User Roles features “Added the Save button explanation to section 1.2”
This looks like procedural stuff not a substantive change in the Top Screen (the Questions manual has not been updated). I’ll take a closer look at the changes later today and may have more information on this tomorrow.

Risk-Based Performance Standards Guidance Document

Last week’s opening of the Site Security Plan Tool on the DHS CSAT web site had been held up for months while DHS waited for the Office of Management and Budget to approve the publication of the Risk-Based Performance Standards Guidance document. That document will provide high-risk chemical facilities some assistance in determining what types of security measures will allow those facilities go receive DHS approval of their Site Security Plan.

This is the first in a series of blog postings that will provide a close-up look at that document. Draft Guidance Document Review Back in October DHS posted a draft version of the Guidance document on their web site and published a notice in the Federal Register requesting public comments on that draft. I prepared a series of blog postings on those comments as they were published (listed below). Of course, those blogs were my review and my opinions on the comments, not anything approaching an official review.

Comments on Draft RBPS Guidance – 11-28-08
Comments on Draft RBPS Guidance – 12-05-08
More Comments on Draft RBPS Guidance – 12-05-08
More Comments on Draft RBPS Guidance – 01-09-09

On the SSP tool web page DHS has provided a link to an official review of the public comments. That document broke comments down into two categories; General Comments, and Comments on Specific Security Issues. Then DHS looked at each of the comments (sometimes lumping a number of comments together) and provided their reasoning for either applying or not applying the recommended changes.

There is one set of comments that I would like to address, since my submission was one of the ones to suggest that the repeated disclaimers in the draft document severely weakened the authority of the Guidance. While not going as far as I suggested, DHS did make some changes that improved the document. The Comments Received document (pg 2) explains:
“To make the Guidance shorter and easier to read, the Department has decided to replace most of the disclaimers and related language with a single disclaimer at the beginning and in a brief footer on every page.”
Anyone that will be using the RBPS Guidance to inform their development of a site security plan (and that should include all Facility Security Officers at all high-risk chemical facilities) should take the minimal effort to read this 30 page document. Even if one hadn’t read the draft document, the explanation of the changes made to the document, as well as the changes not made, will provide additional information and guidance on what DHS is looking for in the Site Security Plan.


There is still a substantial disclaimer at the beginning of the document. The meat of that disclaimer has not changed from the one found in the draft document. The most important part states:
“This Guidance reflects DHS’s current views on certain aspects of the Risk-Based Performance Standards (RBPSs) and does not establish legally enforceable requirements for facilities subject to CFATS or impose any burdens on the covered facilities. Further, the specific security measures and practices discussed in this document are neither mandatory nor necessarily the ‘preferred solution’ for complying with the RBPSs. Rather, they are examples of measures and practices that a high-risk facility may choose to consider as part of its overall strategy to address the RBPSs. High-risk facility owners/operators have the ability to choose and implement other measures to meet the RBPSs based on the facility’s circumstances, including its tier level, security issues and risks, physical and operating environments, and other appropriate factors, so long as DHS determines that the suite of measures implemented achieves the levels of performance established by the CFATS RBPSs.”
Additionally, at the foot of each page is another, simpler disclaimer that essentially covers the same information. That disclaimer reads:
“Note: This document is a “guidance document” and does not establish any legally enforceable requirements. All security measures, practices, and metrics contained herein simply are possible, nonexclusive examples for facilities to consider as part of their overall strategy to address the risk-based performance standards under the Chemical Facility Anti Terrorism Standards and are not prerequisites to regulatory compliance.”
These disclaimers are required because when Congress authorized DHS to write the CFATS regulations they placed a number of restrictions on that authority. The one restriction that applies here is that the §550 authorization included language that prohibits DHS from requiring any specific security measure to be included in the Site Security Plan as a prerequisite for the approval of that plan. In order to be able to provide the guidance necessary the writers had to ensure that no one could interpret the guidance as requiring any specific security measure.

The writers did not limit their conformance to that restriction to just the inclusion of these disclaimers. The entire document was carefully crafted to avoid the appearance of requiring any specific security measure. The only exceptions to this are found in the discussion of RBPS #18, Records. There are specified record retention requirements listed, but, since these are not ‘security measures’ by any definition, and they come directly from the CFATS regulations (§27.255), they do not violate the Congressional prohibition.

The vast majority of the changes made from the draft Guidance document were made in the ‘metrics’ portion of the document. These metrics are misnamed because they do not really allow for measurement of compliance, which would be seen as prescriptive, but they do provide a broadly written narrative description of the type actions that DHS would like to see taken. The changes made in the final version of the document were not so much substantive, as editorial, to remove even the remote appearance of specifying a security measure.

RBPS Guidance and Enforcement

More than one commentor on the Draft Guidance document expressed their concern that the Guidance document would be used by DHS inspectors as an expression of requirements during the enforcement phase of the CFATS implementation. It may be a well founded concern, but for the wrong reason.

The wording in §550(a) of the Homeland Security Appropriations Act of 2007 (Public Law 109-295) is quite specific; “the Secretary may not disapprove a site security plan submitted under this section based on the presence or absence of a particular security measure”. The language is quite specific in referring to the ‘approval’ of the site security plan. There is no such restriction in the §550(e) wording concerning the requirement for the Secretary to “audit and inspect chemical facilities for the purposes of determining compliance with the regulations issued pursuant to this section”.

No one that I have talked to from DHS has ever mentioned this distinction. I have been told, however, that DHS will consider the approved Site Security Plan as a ‘contract’ between the facility and DHS outlining exactly what the facility is required to do to adequately secure the facility against terrorist attack. DHS may very well use the RBPS Guidance metrics as a measure of how well the facility has complied with that contract.

Monday, May 18, 2009

Reported Compromise on Water Facility Security

I found an interesting article on about congressional progress on CFATS re-authorization legislation. The article by Sara Goodman explains that the two House committees working on the re-authorization issue have reached a compromise on the issue of regulating chemical security at water and wastewater treatment facilities. Sara reports that under the recently reached compromise the EPA would retain jurisdiction for security at water and wastewater treatment facilities, including chemical security. The article goes on to report that the markup of the two chemical security bills (one for CFATS re-authorization and one to continue the non-existent EPA interest in security at water treatment facilities) will begin in June, not before the previously reported Memorial Day Recess deadline. Given the normally extensive summer recesses and the wide variety of other high-priority legislation that has yet to be considered, this schedule reduces the likelihood that CFATS reauthorization can get approved before the October expiration of the current authorization. Ms Goodman notes that: “Given the slow progress with negotiations in Congress, the aide [unnamed Homeland Security Committee staffer] said lawmakers will probably introduce a simple bill on suspension that will extend the sunset until Congress can put in place permanent regulations.” This is a potential solution that I had previously discussed. She also notes that “the Obama administration proposed in its fiscal 2010 budget request to extend the regulations through October 2010”. It is true that funding for CFATS operations has been included in the budget request, but I haven’t seen any thing specifically extending the CFATS authorization. As I noted in an article I wrote for the Journal of Hazmat Transportation (19:6, pg 25) there are some people that believe that extending the budget authorization for the program will effectively extend the authority for the program. The political saga continues to provide fodder for the blog writer.

Homeland Security Regulatory Briefing

A reader forwarded me some information on a meeting that will be held later this month to take a look at a wide variety of DHS issues that impact the chemical security community. The one-day conference is scheduled for May 28th in Houston, TX. It is sponsored by the Robert’s Law Group that apparently specializes in ‘Homeland Security Law’. They are scheduled to have updates on CSAT implementation and CFATS reauthorization efforts in Congress; both currently hot topics for the chemical community. What looks to be the most interesting to me is the panel discussion they will be holding on Site Security Plans and RBPS. These two topics are timely, but the interesting component is provided by the panel participants; security folks from Air Liquide, ConocoPhillips, BP and DuPont. It will be interesting to hear what large facility owners and multiple facility owners see in SSP and RBPS. Two local law enforcement types will be making presentations. Normally they would be of interest to local companies, but when the location is Houston, TX there will certainly be a information of interest beyond the local jurisdiction. An officer from the Harris County Sherriff’s Department will provide some insights into “Developing a Local Homeland Security Bureau” and a Coast Guard representative from one of the biggest chemical ports in the world will provide an update on TWIC compliance activities. The little brochure that I was sent mentions a presentation on TSA’s new Freight Rail Security rules, but doesn’t provide any information on who is making the presentation. It would be interesting to hear from the railroad’s perspective on this issue or a large shipper of RSSM, but we will have to see who does the presenting. According to the brochure this is the second time this conference has been held. Apparently I missed hearing about it last year. I would like to hear from anyone that went to the first one. I’m thinking about going to this one and would like to hear someone’s opinion on how well the last one was pulled off. You can make your reservation for this conference on the Robert’s Law Group web site.

Preparing for SSP Submission

Now that the CSAT SSP tool is open and available for SSP submissions high-risk chemical facilities will need to get serious about completing their site security plans and preparing for SSP submission. Facilities cannot begin the submission process until they receive their Final Notification Letter (FNL) from DHS officially designating them a High-Risk Facility, assigning them to a Tier level, defining the chemicals of interest (COI) that must be covered in the SSP, and outlining the security/vulnerability issues that must be addressed by the Risk-Based Performance Standards (RBPS) listed in 6 CFR §27.230. The letter also provides the submission deadline that marks the end of the 120-day submission requirement. Facility CSAT Personnel Roles All facilities that receive an FNL will have already submitted two documents using the Chemical Security Assessment Tool (CSAT). The Preparer, Submitter, Reviewer and Authorizer roles from those earlier submissions will be the same for the SSP Submission. The Preparers will typically be responsible for data entry. Reviewers will be able to look at the SSP submission on-line, but will not be able make any changes to the data. The Submitter will be responsible for the final facility review and actually submitting the completed SSP to DHS. The Authorizer will have no direct role in the SSP submission beyond verifying to DHS any changes made to the Preparers or Submitter. Facilities may authorize a single person to have multiple roles with the exception of Reviewers; no one designated a Reviewer will be allowed to be a Preparer or Submitter. Typically those individuals who were assigned to Preparer, Submitter, Reviewer roles in earlier CSAT submissions will be performing the same roles during the SSP submission. This is not, however, required by DHS. Facilities may make changes to any of these roles at the start of the SSP submission process. Additionally, multiple Preparers and Reviewers may be added for each facility. Facilities must remember that anyone accessing the facility records in CSAT must have completed the on-line CVI training and is an Authorized CVI User. Multiple Preparers DHS has added provisions for facilities to use multiple Preparers, something new for the SSP Tool. They recognize that there will be a number of facilities that will be using people variety of technical skills and backgrounds for preparation of the SSP. The decision was made to allow facilities to decide to allow those subject matter experts to help prepare the SSP submission in their respective specialty areas. The SSP Instructions manual implies that multiple Preparers may be working on the SSP at the same time when it says (page 9): “When multiple preparers are updating the same SSP, changes made by one will be visible to the others as soon as those changes are saved (by clicking Save, Next or Back).” This appears to be misleading because the same document later notes that SSP must be completed sequentially. On page 11 it explains that:
“That is, when you jump back to a previous section, all preceding sections will become un-highlighted [inaccessible] and you will be required to page through all the subsequent pages of the SSP tool. This is necessary because the SSP tool adapts the pages presented for completion based on answers on previous pages and a change within one section might require you to answer additional/different questions later.”
Given that subsequent pages may affected when data is entered into an SSP page, it will be a good idea for facilities to coordinate the data entry efforts made by multiple Preparers. When changes have to be made on previously completed sections it will certainly be a good idea for Preparers to review subsequent sections that have already been completed. This will make the review job of the Submitter much easier and reduce the number of SSPs rejected by DHS. Data Preparation The Instructions manual (page 5) provides a fairly comprehensive list of resources that facilities will need to complete the SSP submission process. The DHS list includes such things as copies of the CFATS regulations, the facility Top Screen and SVA submission, a copy of the FNL, among other things. All of the things on the list will undoubtedly be valuable for the Preparers and Submitter have readily at hand during the preparation for the SSP submission. In fact, it would make things much simpler if all of this material were maintained in a lockable office set up just for CFATS administration at the facility. This would make it much easier to comply with rules for safekeeping of CVI. A number of the items on the DHS list of resources are CVI and draft documents that the facility compiles for the purpose of SSP submission will be CVI as well. A dedicated room to which only CVI authorized personnel will have access to will make the required CVI security procedures much less intrusive to the SSP preparation and submission process. One invaluable resource that is not included on the DHS list is the SSP Questions manual. This manual provides a list of the questions found on the SSP tool. With room available to record answers and write notes this manual can serve as a workbook for the off-line preparation of the SSP submission. Again, as soon as any facility information is added to this manual it becomes CVI and only CVI Authorized Users may have access to the annotated document. The manual can also be used as a management tool for assigning responsibility for collecting and developing submission data. The manual can be printed and taken apart to provide teams or responsible individuals as an assignment template. This will allow them to work on portions that they are most familiar with. This will also provide for management review and approval of the data before it is added to the on-line tool. This will also make the Submitters review easier before the SSP is actually submitted to DHS. Once again, these partial documents will become CVI as soon as facility information is added. This means that marking and security provisions will apply to these portions of the manual and only CVI Authorized Users may work with them.

Sunday, May 17, 2009

DHS CFATS FAQ Page Update 05-15-09

Friday afternoon, after DHS updated their Chemical Security Web site for the SSP roll-out they added a number of new questions and answers to the CFATS FAQ web page. The following questions were added:

1621 - Where can I find a copy of the SSP Instruction Manual that is referenced in the SSP Tool?
1622 - Where can I find a copy of the Risk Based Performance Standards Guidance that is referenced in the SSP tool?
1623 - What if the pre-populated information in a given facility's SSP tool and the facility's Final Notification Letter do not match?
1624 - What is the purpose of the "other" boxes that appear throughout the SSP tool? 1625 - Are the Preparer, Reviewer, Submitter and Authorizer roles the same for the SSP as they were for the Top-Screen and SVA?
1626 - Can multiple Preparers work on the Top-Screen and the SVA as well?
1627 - Can I have multiple Preparers or Reviewers for the SSP?
1628 - How do I submit an ASP in lieu of a SSP?
1629 - Can a facility still upload an ASP if it answers "no" to any or all of the questions in Section 3.9.1 of the SSP tool regarding the content of the ASP?
1630 - What is the difference between Facility Security Measures and Asset Security Measures?
1631 - Which Risk-based Performance Standards (RBPS) apply to a high-risk facility?
1632 - The SSP requires a facility to provide the latest submission dates for its Top-Screen(s) and SVA(s). Where can I find these? 
1633 - As used in the CSAT SSP tool, what is the difference between a planned security measure and a proposed security measure?
1634 - My facility offered information in the SSP about security/vulnerability issues involving COI that are not listed in my DHS Final Notification letter; what are DHS' expectations about these other security/vulnerability issues and COI? 

My Comments 

There is a lot of good information in the answers to these questions. Most of this information will be covered in subsequent blogs about the SSP and RBPS that I’ll be writing over the coming weeks. If you can’t wait for those comments, feel free to click on the link provided and read what DHS has to say about these questions. Questions 1625, 1626, and 1627 are particularly interesting.

Friday, May 15, 2009

DHS Chemical Security Web Page Updated 05-15-09

When DHS rolled out the new SSP tool earlier today they made a number of other changes to their Chemical Security Web pages. The landing page is updated with a brief description of the roll-out of the SSP and an updated link to the new CSAT landing page. That page no longer has all of the CSAT tools on one page; each tool now has its own page. This should make it easier for the DHS web managers to keep the individual CSAT Tool pages updated. To make it easier to find/download copies of the various manuals, user guides and questions there is a “Key Documents” block on the right side of every CSAT Tool page that provides a listing of all of these documents. To make it easier to see if you have the most recent volume, DHS has included the date of the document in the description. The only exception to that is the RBPS Guidance document. Since there is only one version (excepting the draft released last year) it does not make much difference. Hopefully when DHS updates this manual listing in the “Key Documents”, they will include a date for the new document. The Site Security Plan web page has two additional document links on the page that are a little unusual. First there is the RBPS Response to Comment; a document that reviews the comments that were received on the Draft RBPS Guidance document and the DHS response to those comments. I have not yet had a chance to review that document, but it should provide some additional insight into the DHS thinking about the RBPS. The second unusual document is the CSAT SSP Screenshots. According to the first page:
“This document is a copy of certain portions of the Chemical Security Assessment Tool (CSAT) Site Security Plan (SSP) template and is intended merely to give the reader some idea of the questions that an actual SSP will need to address.”
This is a real lengthy document and I don’t see how much use it will actually be to getting ready to submit the SSP. The question document will be a better preparation aid. Still, some people will find it useful to be able to look actual pictures of what some of the SSP screens.

HS Committee Passes HR 2200 in Bipartisan Vote

Yesterday the full House Homeland Security Committee marked up the version of HR 2200 reported out of the subcommittee last week and adopted the revised bill in a near unanimous vote (22-Yes, 1-present, 0-No), extending the record of bipartisan support for this bill. As early as next week the Committee Report on the bill should be reported to the full House, opening the door for a floor vote anytime there after. Because very few of the large number of amendments made to this bill in either the subcommittee or full committee hearings were read into the record we will not be able to tell for sure what HR 2200 actually contains until we see the amended version of the bill in the House Report. Most of the amendments made today were done on voice vote with little or no opposition. There were a few amendments that drew ‘perfecting’ amendments from the opposite side of the aisle. The votes on most of those issues were on the record and were closer to a party line vote. For example an amendment to require DHS to add current Gitmo Detainees to the Do Not Fly List was countered with an amendment to the effect that this should only be done after the President determines their ‘final status’. This was the most rancorous discussion during the hearing, but even that did not rise to the current level of bipartisan ‘debate’ seen on so many issues lately. This authorization bill still seems to be on the fast track for passage in the House. The broad (if some times grudging) support this bill received in these two markup hearings seems to indicate that this will have little problem passing a vote in the full House.

SSP-RBPS Rolled Out Today

At noon today the Department of Homeland Security rolled out the next phase of the implementation of the Chemical Facility Anti-Terrorism Standards (CFATS). They published the Risk-Based Performance Standards Guidance (RBPS Guidance) document and opened the Site Security Plan (SSP) tool on their Chemical Security Analysis Tools (CSAT) web site. Two SSP supporting documents were also published on the CSAT site. Additionally they started the process of mailing out the notification letters that will let high-risk chemical facilities the official results of their Security Vulnerability Assessment (SVA) that were submitted last year. Finally, DHS has sent emails to the registered users of the CSAT that the RBPS Guidance has been posted on the DHS web site. RBPS Guidance The RBPS Guidance document is a more polished document than the draft that DHS published for public comment last year. It still does not spell out what a high-risk chemical facility must do to adequately secure itself from potential terrorist attack, but DHS has been prohibited by Congress from doing that. Instead it “reflects DHS’s current views on certain aspects of the Risk-Based Performance Standards (RBPSs) and does not establish legally enforceable requirements for facilities subject to CFATS or impose any burdens on the covered facilities” (RBPS Guidance, pg 7). The general layout of the document and the basic content remains the same as the draft, but the new document will require a careful reading. There are some subtle differences in the information presented. Additionally, DHS has made it clear that this is a living document. In one of many footnotes in the document the RBPS Guidance notes that “DHS is likely to periodically update this Guidance document to take into account lessons learned throughout CFATS implementation, describe new security approaches and measures that covered facilities may wish to consider implementing, and provide information on any new or revised RBPSs” (pg 8). SSP Tool As with all of the previous tools published in CSAT, access to the actual SSP tool where high-risk chemical facilities will actually submit their SSP is limited to registered CSAT users. As with each of the previously published tools the CSAT web site includes downloadable copies of two documents that will aid Preparers and Submitters with the preparation and submission of the SSP. The SSP Instructions provides detailed instructions on how to answer the very large number of questions that constitute the method of submission of the SSP. The SSP Questions provides a way for facility Preparers to collect and organize the required information to make it easier to actually enter the information into the on-line SSP tool. Each of these lengthy documents should be read carefully before trying to collect and submit the data required for the SSP. Future Blogs As I have done with all of the other CSAT tools, I will be doing a number of blog postings looking at the details of the SSP Tool, it’s supporting documents and the RBPS Guidance document. This is probably the most complex portion of the CFATS process and will take a lot of time to analyze and explain. Of course, I have the luxury of not actually having to implement this at a real chemical facility. I certainly welcome and encourage anyone with questions and comments about these new documents to send them on to me ( or to post them as comments to this blog. I’ll do my best to explain things. DHS has also established a procedure for dealing with questions. You can contact the CFATS Help Desk either via e-mail at or by phone at 866-323-2957. They also provide the name and address of a real person to whom you can “submit questions via regular mail” (pg 9):
Dennis Deziel Deputy Director Infrastructure Security Compliance Division U.S. Department of Homeland Security, Mail Stop 8100 Washington, DC, 20528

Thursday, May 14, 2009

Potential SSI Regulation Changes

The Office of Management and Budget (OMB) recently published the Spring 2009 Update for the Unified Regulatory Agenda on the web site. Included in the DHS/TSA section of that site are listings for two potential changes to the regulations concerning the protection of sensitive security information (SSI). Neither of these actions are new to the Spring Update; they both appeared in the Fall 2008 updated on the same site. Protection of Sensitive Security Information (SSI) The current SSI regulations (49 CFR §15; and §1520 ) were last significantly modified in 2004 by an interim final rule on the protection of Sensitive Security Information (SSI). That rule was modestly modified by a minor technical amendment in 2005. TSA has yet to modify the IFR based on the comments received when the IFR was published. Typically that regulatory change would constitute the final rule, but TSA has yet to decide when and if such a final rule would actually be issued. Disclosure in Federal Civil Court Proceedings The second pending action would be required to implement section 525(d) of the U.S. Department of Homeland Security (DHS) Appropriations Act of 2007, which grants civil litigants or their counsel who do not currently have a need to know SSI access to specific SSI in Federal district court proceedings, if certain requirements are met. This proposed rule would establish an administrative process by which a limited number of individuals representing parties in Federal civil court proceedings would apply to TSA for access to SSI for use in the litigation. According to the site, TSA is currently planning on introducing the notice of proposed rule making (NPRM) this month. This is not a commitment to publish the NPRM in this month’s Federal Register; just a notice of intent.
/* Use this with templates/template-twocol.html */