Tuesday, May 19, 2009

Risk-Based Performance Standards Guidance Document

Last week’s opening of the Site Security Plan Tool on the DHS CSAT web site had been held up for months while DHS waited for the Office of Management and Budget to approve the publication of the Risk-Based Performance Standards Guidance document. That document will provide high-risk chemical facilities some assistance in determining what types of security measures will allow those facilities go receive DHS approval of their Site Security Plan.

This is the first in a series of blog postings that will provide a close-up look at that document. Draft Guidance Document Review Back in October DHS posted a draft version of the Guidance document on their web site and published a notice in the Federal Register requesting public comments on that draft. I prepared a series of blog postings on those comments as they were published (listed below). Of course, those blogs were my review and my opinions on the comments, not anything approaching an official review.

Comments on Draft RBPS Guidance – 11-28-08
Comments on Draft RBPS Guidance – 12-05-08
More Comments on Draft RBPS Guidance – 12-05-08
More Comments on Draft RBPS Guidance – 01-09-09

On the SSP tool web page DHS has provided a link to an official review of the public comments. That document broke comments down into two categories; General Comments, and Comments on Specific Security Issues. Then DHS looked at each of the comments (sometimes lumping a number of comments together) and provided their reasoning for either applying or not applying the recommended changes.

There is one set of comments that I would like to address, since my submission was one of the ones to suggest that the repeated disclaimers in the draft document severely weakened the authority of the Guidance. While not going as far as I suggested, DHS did make some changes that improved the document. The Comments Received document (pg 2) explains:
“To make the Guidance shorter and easier to read, the Department has decided to replace most of the disclaimers and related language with a single disclaimer at the beginning and in a brief footer on every page.”
Anyone that will be using the RBPS Guidance to inform their development of a site security plan (and that should include all Facility Security Officers at all high-risk chemical facilities) should take the minimal effort to read this 30 page document. Even if one hadn’t read the draft document, the explanation of the changes made to the document, as well as the changes not made, will provide additional information and guidance on what DHS is looking for in the Site Security Plan.


There is still a substantial disclaimer at the beginning of the document. The meat of that disclaimer has not changed from the one found in the draft document. The most important part states:
“This Guidance reflects DHS’s current views on certain aspects of the Risk-Based Performance Standards (RBPSs) and does not establish legally enforceable requirements for facilities subject to CFATS or impose any burdens on the covered facilities. Further, the specific security measures and practices discussed in this document are neither mandatory nor necessarily the ‘preferred solution’ for complying with the RBPSs. Rather, they are examples of measures and practices that a high-risk facility may choose to consider as part of its overall strategy to address the RBPSs. High-risk facility owners/operators have the ability to choose and implement other measures to meet the RBPSs based on the facility’s circumstances, including its tier level, security issues and risks, physical and operating environments, and other appropriate factors, so long as DHS determines that the suite of measures implemented achieves the levels of performance established by the CFATS RBPSs.”
Additionally, at the foot of each page is another, simpler disclaimer that essentially covers the same information. That disclaimer reads:
“Note: This document is a “guidance document” and does not establish any legally enforceable requirements. All security measures, practices, and metrics contained herein simply are possible, nonexclusive examples for facilities to consider as part of their overall strategy to address the risk-based performance standards under the Chemical Facility Anti Terrorism Standards and are not prerequisites to regulatory compliance.”
These disclaimers are required because when Congress authorized DHS to write the CFATS regulations they placed a number of restrictions on that authority. The one restriction that applies here is that the §550 authorization included language that prohibits DHS from requiring any specific security measure to be included in the Site Security Plan as a prerequisite for the approval of that plan. In order to be able to provide the guidance necessary the writers had to ensure that no one could interpret the guidance as requiring any specific security measure.

The writers did not limit their conformance to that restriction to just the inclusion of these disclaimers. The entire document was carefully crafted to avoid the appearance of requiring any specific security measure. The only exceptions to this are found in the discussion of RBPS #18, Records. There are specified record retention requirements listed, but, since these are not ‘security measures’ by any definition, and they come directly from the CFATS regulations (§27.255), they do not violate the Congressional prohibition.

The vast majority of the changes made from the draft Guidance document were made in the ‘metrics’ portion of the document. These metrics are misnamed because they do not really allow for measurement of compliance, which would be seen as prescriptive, but they do provide a broadly written narrative description of the type actions that DHS would like to see taken. The changes made in the final version of the document were not so much substantive, as editorial, to remove even the remote appearance of specifying a security measure.

RBPS Guidance and Enforcement

More than one commentor on the Draft Guidance document expressed their concern that the Guidance document would be used by DHS inspectors as an expression of requirements during the enforcement phase of the CFATS implementation. It may be a well founded concern, but for the wrong reason.

The wording in §550(a) of the Homeland Security Appropriations Act of 2007 (Public Law 109-295) is quite specific; “the Secretary may not disapprove a site security plan submitted under this section based on the presence or absence of a particular security measure”. The language is quite specific in referring to the ‘approval’ of the site security plan. There is no such restriction in the §550(e) wording concerning the requirement for the Secretary to “audit and inspect chemical facilities for the purposes of determining compliance with the regulations issued pursuant to this section”.

No one that I have talked to from DHS has ever mentioned this distinction. I have been told, however, that DHS will consider the approved Site Security Plan as a ‘contract’ between the facility and DHS outlining exactly what the facility is required to do to adequately secure the facility against terrorist attack. DHS may very well use the RBPS Guidance metrics as a measure of how well the facility has complied with that contract.

No comments:

/* Use this with templates/template-twocol.html */