Tuesday, June 30, 2009

QHSR ICR Redux 06-30-09

DHS published a second 30-day information collection request (ICR) notice in today’s Federal Register for their new public information collection effort for the Quadrennial Homeland Security Review. As I promised in my blog posting about the first ICR (published on June 2nd) I am providing additional information as it becomes available. According to this latest ICR notice DHS is currently planning on holding three ‘collaboration events’ on-line. They will be ‘held’ for five days on July 16-20, August 13-17, and September 17-21. The public will be invited to provide input on Homeland Security topics in which they are interested. Participants input will include (74 FR 31287):
“Comment and rate phase I solicited input, thereby prioritizing those concepts and suggestions they deem critical and which should be considered by the study groups during their respective reviews. “Comment on and rate proposed strategic objectives and key strategic outcome statements for the homeland security mission areas under review. “Vote on proposed mission objectives and outcome statements as to whether they agree or disagree with the proposed content.”
QHSR Study Groups will prepare input for the first two collaborative events and the feedback from each will be included in subsequent Study Group deliberations. The final Study Group reports will be ‘evaluated’ and voted upon by the public in the final collaborative event in September. The public will be notified of the actual content that will be included in the collaborative events on the QHSR web site. Additional communications options being considered include announcements via the FedBiz network and a variety of social networking site/tools such as Facebook and Twitter. I will certainly include such announcements in my blog postings. Again, this sounds like it may be a very good tool for the government to get detailed public input into the policy development process. For this to work effectively, it will require a lot of detailed input from a wide variety of people. I certainly encourage all members of the chemical security community to participate in this process.

Video Surveillance Information

John Honovich has provided another tool on his web site, IPVideoMarket.info, to make it easier for people to find detailed information about video surveillance tools, techniques, and suppliers. John’s web site provides an interesting mix of free and fee based information about a wide variety of video surveillance information and this new tool provides detailed information about how to find and use the information. John’s new tool provides links and a brief video tutorial on:
Getting Started in Video Surveillance Finding What's New in Video Surveillance Finding Information on Companies and Products Searching for Video Surveillance Information What's inside the Premium Subscription Service? How do I sign up? How do I cancel my subscription? How do I get covered/reviewed on IP Video Market Info?
The last area provides information to video surveillance equipment and service providers on how to get their products and services covered on John’s web site. John explains that he wants companies to explain how they provide “more value or is novel compared to existing market offerings”. John explains that: “My goal is to provide information on technology and products that the community would find interesting or novel. It's not based on ad purchases or sponsorships so as long as I can understand your advantages, I will be happy to review and feature you on the site.” Once again, I believe that John’s web site provides a good source of information for facility security officers looking to find basic information about video surveillance tools, techniques and service providers. It will not make anyone an expert on video surveillance, but it will help the novice understand what is being said and done by contractors and consultants that are providing video surveillance services to the facility.

Monday, June 29, 2009

DHS Law and Regulations Web Page Update 06-26-09

On Friday, June 26th DHS updated the Chemical Security portion of the Law and Regulations web page. The new page adds a link that was missing from an earlier version of the page and adds sections for two new publications. Authorization Link Section 550 of the Homeland Security Appropriations Act of 2007 Public Law 109-295 provided the authorization for the establishment of the CFATS regulations. That authorization was amended by §534 of the Consolidated Appropriations Act, for FY 2008. The earlier version of this page described a .PDF file combining the two sections into a single §550 but did not provide a link to that document. That link is now available on the page. New Sections There is now a section describing the final version of the Risk-Based Performance Standards (RBPS) Guidance document following the section on the Draft RBPS Guidance document. Additionally, there is now a section addressing the CFATS Personnel Surety Information Collection Request that was published earlier this month. Missing Information These changes help to make this web page a more complete collection of information on the laws and regulations that affect Chemical Security. There are two areas that should be added to this section to make it a true ‘one-stop shop’ for chemical security information; ammonium nitrate rules and freight rail security rules. DHS is in the process of developing the rules for regulating the sale and transfer of ammonium nitrate under the authority provided by §563 of Subtitle J of the 2008 Consolidated Appropriations Act (Public Law 110-161). An ammonium nitrate section on this page could include a link to the authorizing language and a copy of the ANPRM that was published on October 29th of last year. While the ammonium nitrate regulations will be administered by the same people in DHS that administer the CFATS regulations, the freight rail security rules {49 CFR §1580.101 thru §1580.107}are administered by TSA. That may explain why they are not included on this page. In my opinion, this makes it even more necessary for these regulations to be referenced on this page because they do impose significant chemical security obligations on chemical facilities that would typically be expected to use this page. Besides, the TSA web site is poorly organized and seldom updated.

TSA Finalizes Background Check Regulation

In Friday’s Federal Register the Transportation Security Administration published a final rule implementing sections 1414(e) and 1522(e) of the 9/11 Act prohibiting public transportation agencies, railroad carriers, and their respective contractors and subcontractors from knowingly misrepresenting Federal guidance or regulations concerning security background checks for covered individuals. The legislature included these sections in the 9/11 Act because they were concerned that employers would use the background check requirements as a cover for personnel actions that would not be permitted under normal labor relations laws. In July of last year TSA published an interim final rule (IFR) adding §1570.13 to 49 CFR (73 FR 44665). With the publication of that IFR TSA requested public comments. No comments were filed by the time the comment period closed September 2nd, 2008. With the lack of public comments, TSA has decided to publish this final rule making permanent the provisions of 49 CFR §1570.13. This final regulation is effective as of June 26th, 2008 when it was published in the Federal Register. Since there is effectively no change being made to the rules, TSA does not need to give advance notice of the effective date for this final rule. Similar wording to §1414(e) and §1522(e) is being included in the Chemical Facility Anti-Terrorism Act of 2009 (HR 2868) because specific background check guidance is provided in that legislation. One would expect that DHS would include wording similar to §1570.13 in any revisions required to 6 CFR part 27 if HR 2868 were to pass this year.

SSP Submission – RBPS #4 Deter Detect and Delay

This is another in a series of blog posting on the recently released Site Security Plan Instructions Manual and Questions Manual. The other blogs in this series are: Preparing for SSP Submission SSP Submission – Facility Data SSP Submission – Facility Security Measures SSP Submission – RBPS #1 Restrict Area Perimeter SSP Submission – RBPS #2 Secure Site Assets SSP Submission – RBPS #3 Screen and Monitor This section of the SSP looks at security measures, processes and procedures that specifically serve to deter, detect and delay potential terrorist attacks on the facility. This section only applies to facility wide security measures. It does not include provisions for answering questions about securing individual critical site assets. Previously Provided Information Many of the questions will look like they have already been answered in previous sections of the submission. It is not clear from the manuals provided by DHS if the previous responses will cause the information to be ‘pre-populated’ into these new questions. If the information does not get automatically carried forward into this section, facility Submitters are going to have to carefully review duplicative questions to make sure that consistent answers are provided. It is interesting that the questions on anti-vehicle barriers on the facility perimeter in this section were not found in support of the RBPS #1 section, but were seen earlier in the RBPS #2 section dealing with security measures for site assets. Similarly, the questions about security lighting were found in RBPS #2 but not RBPS #1. Neither sets of answers will ‘carry forward’ to this RBPS since they were directed at asset security not perimeter security. Answers from RBPS #2 questions (or any other question about asset specific security measures) should not be ‘transferred’ to questions for this RBPS. Anti-Vehicle Measures Preparers can find definitions and descriptions of the vehicle barriers in Appendix C of the Guidance document. The ‘K rating’ system is also briefly explained there. K rating data should be available from the barrier installer, though facilities should probably check with manufacturers to ensure that the installer is trained and certified in the proper techniques for installing the barriers. Many manufacturers will be able to recommend independent inspectors that will verify the installation was done in a professional manner. Proper installation is critical for insuring that the barriers meet their ‘rated’ K values. CCTV Measures Most of the CCTV questions found in this section were found in both RBPS #1 and #2. The answers from the RBPS #1 questions should be the same as the answers for these questions. This is where one might expect that a well designed system would pre-populate the answers with those provided in an earlier section. There should be no intention on the part of DHS to ‘catch’ facilities in inconsistencies. There are a couple of new questions in this RBPS section that probably should have been included in the list of questions for both RBPS #1 and #2. Two completely new questions (requiring a yes/no response) are (pg 139):
Is the surveillance system integrated with the access control system? Is the surveillance system integrated with the intrusion detection system?
These are interesting and potentially important questions. I am more than a little surprised that there are no follow-up questions regarding the details of the integration. The other ‘new’ question is more of a follow-up question to one asked in the RBPS #1 section. The earlier question (pg 74) asked about the monitoring frequency. This question asks about monitoring responsibility. The provided answers (including the obligatory ‘other’) are
System monitoring and control by dedicated control room operator. System monitoring an ancillary responsibility of control room operator. System monitoring and control by dedicated security force member. System monitoring an ancillary responsibility of security force member.
Since these questions are going to be used by DHS to evaluate the effectiveness of CCTV system (if present, of course) in detecting an attack in progress, facilities should be careful to use the ‘other’ response on this question to address any aids that the facility might use to help those monitoring detect a penetration. Automated surveillance systems should certainly be listed here. Security Forces This RBPS Section of the SSP includes a mix of new and repeated questions about the security forces. The question about security patrols is a duplicate from RBPS #1 (pg 76) and RBPS #2 (pg 104). As mentioned previously the answers from RBPS #1 should be duplicated here while straight copying of RBPS #2 may not be appropriate. The new questions here have to deal with the details of where the security forces are housed; what the Questions Manual calls ‘security structures’. First a question is asked about ‘stationary posts’. One has to assume that this question applies to stationary posts for security personnel from the listing of posts provided, but an unmanned personnel entrance that uses some sort of access control system could qualify for a ‘main personnel entrance’. I question the inclusion of ‘special posts’ along with the standard entry for ‘other’ since there is no requirement to explain what a constitutes a ‘special post’ while a response of ‘other’ requires that the facility provides a description of that type of post. There are three questions specifically about ‘security structures’; presumably this means buildings used to house one of the previously identified ‘stationary posts’. It seems redundant to ask if a facility has ‘security structures’ after asking about ‘security posts’. The next question deals with physical structure and protections associated with these security structures. This question only makes sense if it were asked for each of the structures identified in the stationary posts question since the provided answers may only pertain to one of the posts. The same could be said about the question dealing with ‘controls’ available within the security structure. While some facilities might have duplications of all security controls at all security posts, this is probably not a good idea for most facilities, particularly when it control of an isolated post might allow an attacker to control cameras and intrusion detection systems to avoid detection. There is one question that follows the security structures questions that deals with ‘process controls’ available at the facility. The question asks what ‘process controls’ are available at the facility and provides the following answers:
Both security and operational functions Security functions Operational functions Neither Security nor operational functionality Other
There is no explanation provide in the Questions Manual or Instructions Manual about what types of ‘process controls’ are being covered in this question; not even explaining if they are asking about cyber controls or manual control systems. This is especially confusing since there are no follow-up questions about locations of the controls for those systems or protections offered to such systems. Adversary Delay There are a series of questions about internal access controls and barriers used to delay potential adversaries from reaching critical assets within the facility. These questions seem to duplicate those found in RBPS #2. What should be clear here is that these are still facility wide measures and not measures dedicated to individual critical assets. Facilities that did not define critical assets in RBPS #2 should certainly include any internal controls in their response to this question. It is harder to determine what DHS is looking for if the facility did identify and report security measures for critical assets within the facility. If there are internal security measures that were not reported for individual assets, they should certainly be reported here. If security measures reported in RBPS #2 serve other critical areas within the facility they should probably be reported here. Finally, security measures unique to specific critical assets that have been reported for those assets in other areas of this SSP should probably not be reported here. Key Control There are a number of questions about the ‘key control’ procedures that the facility uses. Actually, this classic physical security process has been expanded beyond the old style key and combination control procedures. With the expansion of the use of credentials that allow access through automated access control systems, this key control section includes control of those credentials. All but one of the questions included in this section are straight forward that require little or no explanation. The one odd ‘question’ is the one that states:
Select "Yes" for all the key inventory/controls the facility has:
The available answers makes it clear the question is actually about who administers the key control process. While there is a ‘company’ and a ‘security department’ response there should probably have been a ‘facility’ response as well for those facilities that have a facility control procedure that does not managed by a security department. Security Forces The final section in this RBPS concerns the use of security forces. This is one area of the SSP that is going to be the most controversial because of the references to armed security personnel. From comments received during the draft RBPS Guidance review it is clear that many facilities are adamantly opposed to the use of armed security personnel. From the questions found in this section there is no real clue about how DHS will address this issue in their approval of the SSP. The section starts out with the typical ‘does the facility have’ question. A no answer in this case bypasses about half of the questions in the section. What is surprising is that questions about off-site armed response (presumably including police force response) are bypassed by a no response to this question. I hope that there is a disconnect between the Questions Manual and the actual SSP in this case. The question of off-site response is especially critical for facilities that have no on-site security forces. This is not the only organizational anomaly found in this section. In the section that all facilities are required to answer are two questions about ‘posted personnel’. The first question asks about the types of observation provided by posted personnel. Many facilities that answered no about the security force personnel are going to be confused about how they can answer this question. The next question provides some additional guidance by including non-security operations personnel in who may provide observation. Finally, the ‘tactical positions’ question should have been included in the portion of this section by-passed by a ‘No’ response to the initial security force question. A facility that does not have a security force is unlikely to have ‘hardened/defensive positions’ or ‘hardened fighting positions’.

Friday, June 26, 2009

DHS S&T Advisory Committee Meeting – 07-21-09

In yesterday’s Federal Register DHS published a meeting notice for the DHS Science and Technology Advisory Committee. This classified level meeting will be held on July 21st thru July 23rd in Arlington, VA. Since classified material will be discussed the three day meeting will be closed to the public. The classified information will include updated threat briefings; reviews of sensor technologies in science and technology; and reports from the Committee panels. In addition, intelligence agencies, Department of Defense and Homeland Security experts will present SECRET-level briefings concerning matters sensitive to homeland security. Anyone wishing to have information distributed to committee members during this meeting will have to submit that information to the http://www.regulations.gov/ web site (docket # DHS-2009-0082) before July 10th.

Wednesday, June 24, 2009

Reader Comment – 06-24-09 – TWIC Availability

Earlier today Wally Magda left a comment about an earlier blog on background checks and TWIC. Apparently responding to my statement that: “If facilities were to get TWICs for each of their employees that had access to restricted or security areas, this would almost certainly fulfill the RBPS #12 requirements.”; Wally writes:
“Great TWIC can't be obtained in some states because there aren't any enrollment centers. One example is Colorado. I would have to travel quite a distance to get a TWIC processed.”
Wally brings up a very good point that I overlooked in my posting. TWIC could be used to fulfill the RBPS #12 background check ‘requirements’, but states removed from the coast or navigable waterways may find it difficult to get ready access to ‘enrollment centers’. TWIC was designed to provide identification for workers at port facilities, not all chemical facility workers. This means that the enrollment centers are more likely to be near those port facilities. Land-locked states like Colorado are less likely to need the services of such a center. This problem may be aggravated by a provision in Safe Trucker’s Act section of HR 2200. That provision, §432 would require DHS to write rules requiring trucker’s carrying ‘security sensitive materials’ to have TWIC. DHS would be required to start issuing these licenses by May 1st, 2010 so maybe they would have time to establish more enrollment centers in parts of the country that are currently underserved.

HRes 573 for Consideration of HR 2892

Yesterday evening the House Rules Committee submitted their report on HRes 573 which provides the rule for the consideration of HR 2892, the DHS Appropriations Act of 2010. The rule describes how the House will consider HR 2892 including what amendments can/will be submitted during consideration on the floor. I reported yesterday that the Rules Committee would consider only one amendment that would be of interest to the chemical security community; the Dent amendment to deny funds for the enforcement of IST provisions under CFATS. That amendment did not make it to the list of amendments that will be considered on the floor. Now, the only thing of consequence to the chemical security community is the funding for CFATS enforcement which is apparently unchanged from earlier discussions about this appropriations bill. No word specifically when this bill will be called up for consideration. It could certainly come to a floor vote this week. NOTE: The following was added at 09:11 a.m EDT: The Congressional Record Daily Digest for June 23rd notes that (pg D752) that the House will consider HR 2892 (subject to a rule) today.

CFATA Passes in Committee

The House Homeland Security Committee held their third and final markup hearing on HR 2868 yesterday. This final meeting was held so that the committee could finish voting on three amendments that were considered last week. All three amendments failed on the recorded votes. The amended bill was passed and will be reported favorably to the full house. All votes today were on straight party lines. Members will have two days to submit their comments to be included in the report to the House. This means that the committee report and the amended language will probably not be available until at least Thursday. With no hearing currently scheduled on this bill before the Energy and Commerce Committee, the full House will not take up this bill before the 4th of July recess. With the August recess fast approaching it is unlikely that this bill will be taken up in the Senate until September or October. It is certainly beginning to look like inclusion of a CFATS extension in the appropriations bill was a smart move on the part of the Administration.

Tuesday, June 23, 2009

House Rules Committee Hearing on HR 2892

As I noted in yesterday’s blog, the House Rules Committee will hold a hearing this afternoon at 5:00 pm (well, I may have forgotten to include the date/time) to prepare the rule for the consideration of HR 2892, Department of Homeland Security Appropriations Act, 2010. They have on their Committee Web site a list of all of the amendments that have been filed for consideration with this bill. It is a lengthy list, filled with all manner of political objectives. Surprisingly, there is only one amendment that concerns the CFATS regulations; it is amendment #65 submitted by Congressman Dent (R, PA). The summary of that amendment reads:
“Would ensure that no funds appropriated for the expansion of the Chemical Facility Anti-Terrorism Standards would be used to mandate the implementation of inherently safer technology (IST) at chemical facilities covered under the program.”
The fact that Mr. Dent would try to limit the application of mandatory IST rules should come as no surprise to anyone that has followed the recent hearings on HR 2868 (Hearing and Markup). What would seem surprising is that an amendment like this to the FY2010 Appropriations Bill would probably not affect the operations of HR 2868 since the rules supporting that legislation are not required to be in place before January, 2011 at the earliest and could easily be expected to be in place no earlier than the beginning of FY 2012. Oh well; one must at least admire Mr. Dent for his consistency of purpose. One would certainly expect that if this amendment were to make it to the floor of the House, that it would be voted down on a nearly party-line vote.

Monday, June 22, 2009

Reader Comment – 06-22-09 – S 1274

Michael A. writes about today’s blog on S 1274: “One thing at a time. This is aimed at something very specific and something lots of Senators can easily get onboard with. Now as long as it's not overloaded with amendments.... ;) He makes a good point. This is simple and straightforward legislation and because it is obviously targeted at Bayer CropScience this should have little problem passing if it makes it to the floor. I suspect that it stands a much better chance of being added to the DHS budget bill. That will avoid all of the unpleasantness of committee hearings and such. I don’t like the ‘one thing at a time’ approach. It can cause significant confusion. This is a pretty good case in point. If this bill passes because it is the ‘Bayer’ bill and nothing else is done about the other places where SSI provisions exist, we will see the same type action take place again. Only it may not be as big a deal as MIC and Institute, WV with all of the attendant publicity that that entailed. Or it may not be a government agency like the CSB that gets hit with the limitations and threats of law suits. In those cases not enough people may notice. In any case the time to solve the problem is now while everyone’s memory is clear and sharp about the problems that this situation caused. Just solving this for Bayer CropScience will do no good, after-all they have promised to sin no more.

Congressional Hearings – Week of 06-22-09

According to the Daily Digest (06-19-09) of the Congressional Record, it looks like there will only be two hearings this week that will deal of matters of interest to the chemical security committee. As I have already mentioned the Homeland Security Committee will finish up their markup of HR 2868, CFATA of 2009, on Tuesday at 5:30 pm. This should be a fairly quick ‘hearing’ as there should only be recorded votes on two amendments that ‘failed on voice votes’ on Friday. Then the Committee should vote on the bill as amended. There is always the possibility that additional amendments might be brought up, but it is unlikely that it will happen on this bill. The second hearing will be in the House Rules Committee and will cover HR 2892, the DHS Appropriations Act, 2010. This is where the Rules Committee will establish the ground rules for the debate of this bill on the Floor of the House. The most important part of this hearing will be determining what amendments will be debated and voted upon. It is very likely that this bill will come to the floor before the July 4th recess.

S 1274 Status 06-19-09

A copy of Sen. Rockefeller’s bill, S 1274 to stop MTSA facilities from hiding safety information behind Sensitive Security Information (SSI) protections has finally been posted on the GPO web site (access through www.Thomas.LOC.gov). It is actually a very short bill and I am not sure how effective it will actually be in preventing actions like Bayer CropScience took earlier this year. The key provision of the bill is the amendment of §70103(d) of title 46 USC adding subparagraph (2):
“LIMITATIONS.—Nothing in paragraph (1) shall be construed to authorize the classification of information as sensitive security information (as defined in section 1520.5 of title 49, Code of Federal Regulations)— ‘‘(A) to conceal a violation of law, inefficiency, or administrative error; ‘‘(B) to prevent embarrassment to a person, organization, or agency; ‘‘(C) to restrain competition; or ‘‘(D) to prevent or delay the release of information that does not require protection in the interest of transportation security, including basic scientific research information not clearly related to transportation security.’’.
This section only affects MTSA covered facilities. It has no affect on any other areas that use the SSI ‘classification’. It certainly would have no affect on CVI being used for the same purposes under CFATS. I also find it interesting that there was nothing in the CFATS reauthorization legislation (HR 2868) covering this situation. Rep. Markey (D,NY), a key player on the House Energy and Commerce Committee has talked about offering legislation covering this topic, also as a result of the Bayer CropScience fiasco. It will be interesting to see if he includes this type language in the markup of 2868 before the Energy and Commerce Committee.

Friday, June 19, 2009

HR 2868 Markup Hearings

I almost did not write this blog this afternoon, it is late Friday afternoon and few people will see this. Besides most of the information was posted on Twitter (PJCoyle) more or less as it happened. But here it is any way since this blog is more ‘permanent’ than Twitter. The hearing started yesterday morning but was effectively stopped by a long series of procedural votes on the House Floor that were beyond the control of the Chairman. Even today’s hearing was interrupted twice buy more reasonable voting requirements on the Floor. Then the hearing was cut a little short so that people could catch flights home. To allow for a full discussion of the amendments being considered, Chairman Thompson and Ranking Member King agreed to hold roll call votes until next week (5:30 pm, Tuesday, June 23rd). The Amendments Here is a quick summary of the amendments and their outcomes. Thompson – An amendment in the nature of a substitute. Actually this was a combination of a number of amendments from various committee members (mostly Democrats) that the Chairman and Ranking member agreed were relatively uncontroversial, so they were all rolled into one amendment and the resulting re-worded bill is now the ‘original’ bill. Passed on voice vote. Lungren – Add IST appeals process before Administrative Law Judge. Approved on voice vote. Dent – Modify IST provision to require the Secretary to consider affects on employment levels when making implementation decision. Passed on voice vote. Broun – Remove IST assessment requirements for Tiers 3 and 4. Remove IST mandatory implementation requirement. Failed on recorded vote 11-15. Souder – Modify definition of ‘measures to reduce consequence of terrorist attack’ to include some security measures. Failed on recorded vote 11-16. Austria – Exempt ‘small business’ from IST requirements. Mr. Pascrell offered ‘perfecting amendment’ that would have removed exemption but would require DHS Secretary to report on IST affects on small business. Perfecting amendment passed on recorded vote 18-11. Amended Austria amendment passed on recorded vote 29-0. Jackson-Lee – Two amendments considered en bloc. Change DHS citizen suit action time from 60 to 120 days. Removed language requiring community notification from §2103. Passed on voice vote. Dent – Strike §2111 (IST). Failed on recorded vote 11-14. Cao – Require DHS to hire 100 additional CFATS inspectors in FY 2010 and FY2011. Passed on voice vote. Cao – Modifies definition of ‘employee representative’ to only include people working at that facility. Failed on voice vote. Braun – Require termination of any employee found to have disqualifying factor on background check. Failed on voice vote. Bilirakis – Provide DHS with direct hire authority for DHS inspectors for the next two years. Failed on recorded vote 11-17. McCaul – Strikes civil suits language and replace with requirement for DHS IG to investigate complaints. Failed on voice vote; recorded vote on Tuesday. Broun – Strike §2116 (Civil Suits). Failed on voice vote; recorded vote on Tuesday. Austria – Require DHS to establish tip line to receive reports of security issues. Passed on voice vote. Souder – No explanation was given for this amendment which everyone supported. Passed on voice vote. Broun – Requires termination of employees that are found to be illegal aliens during background check. Passed on voice vote. My Comments Chairman Thompson and Mr. King are working hard together to run a collegial committee and strive for a bipartisan effort in developing the legislation. There are still some serious philosophical differences on IST and Civil suits. I doubt that the minor changes that have been made will be sufficient to provide the Chairman with a Republican co-sponsor on the legislation. Having said that, there will not be bitter opposition to the bill in committee, so he might get a pro forma vote or two from the Republicans. The Committee votes on Tuesday evening will mean that the document of ‘Committee Actions’ will not be on the Committee web site until some time Wednesday. I doubt that the report will be out until the week of the 29th. The bill still has to go through the wringer in the Energy and Commerce Committee, so I doubt that this will come to the floor before the 4th of July recess.

S 1298 Status – 06-18-09

Sen. Byrd introduced the FY2010 DHS budget bill, S 1298, yesterday. The Senate Appropriations Committee also has filed their report, S 111-31, on the legislation. Both are available on the GPO web site (accessed via www.Thomas.LOC.gov). I am not going to bother trying to do a line-by-line comparison of the two budgets. It just takes too long with documents of this size and complexity. Besides we still have amendments to be made on the floor, at least, and perhaps yet in committee.

Senate DHS Budget Markup

On Wednesday, June 17th, the Homeland Security Subcommittee of the Senate Appropriations Committee held their markup hearing on the FY 2010 budget bill for DHS. According to a press release from Sen. Byrd (D,WV), the Subcommittee Chair, the version of the bill reported to the Full Committee includes $103 million for the CFATS program which includes a total increase of 168 additional full time employees over the FY 2009 number. The bill did include a one year extension of the CFATS authorization as requested by the Obama Administration.

Thursday, June 18, 2009

HR 2883 Text Available

As I noted yesterday HR 2883, Wastewater Treatment Works Security Act of 2009, was introduced in the House on Tuesday. The GPO web site (access via http://thomas.loc.gov) now has the text available for down load. It is a relatively short bill, only 16 pages. It amends the Federal Water Pollution Control Act to provide for security at wastewater treatment works. It would add §222, Wastewater Treatment Works Security to that Act. Assessment of Treatment Works Vulnerability This bill would require owner/operators of Wastewater Treatment Works to conduct vulnerability assessments if they stored or used a “a substance of concern in quantities deemed by the [EPA] Administrator to pose a security risk” That assessment would be addressed at intentional actions that would ‘substantially’ disrupt the operation of the facility or present a hazard to “critical infrastructure, public health or safety, or the environment” {§222(a)(2)(A)}. The vulnerability assessment would include the development of a site security plan that would identify ‘specific security enhancements’ designed to decrease the vulnerabilities identified in the assessment. The EPA Administrator would have until December 31st, 2009 to develop (with the advice of the DHS Secretary) guidelines for carrying out the vulnerability assessment and developing the site security plan. The guidelines would also identify an “array of potential security enhancements, including procedures, countermeasures, or equipment” {§222(a)(2)(D)(ii)(I)} that the owner/operator could use to reduce the facility vulnerability. Those guidelines would also include standards for establishing the relative risk to the facility and assigning the facility to one of four risk-based classifications. The EPA Administrator would also have to work with the DHS Secretary to develop a list of ‘substances of concern’ and a threshold quantity for each substance. Appendix A to 6 CFR Part 27 will be ‘taken into consideration’ when the list is developed. The vulnerability assessments would be required to be submitted to the Administrator on a staggered schedule based on the risk ranking with the highest risk facilities being required to submit their assessment by December 31st 2010. The Administrator would then be responsible for approving or disapproving the adequacy of the assessment and associated security plan. The assessment guidelines would also establish rules for the protection of information developed under this section. The rules would establish that the information could not be disclosed under §552 of Title 5 USC or under state or local laws. The rules would establish procedures for sharing information with “State and local government officials possessing the necessary security clearances, including law enforcement officials and first responders, for the purpose of carrying out this section” {§222(a)(5)(C)}. Grants The Administrator is authorized to make grants under this program for ‘Security Assessment and Planning Assistance’. Additionally grants may be made for ‘Technical Assistance’ to small publicly owned treatment works. Grant funding may be made through non-profit organizations. The bill authorizes $200 million for security assessment and planning assistance grants and $15 million for technical assistance to small, publicly owned treatment works. Those amounts are authorized for FY2010 thru FY2014. My Comments It is interesting that the word ‘terrorism’ never once appears within this bill. I am sure that was deliberately done to avoid having to have this bill referred to the Homeland Security Committee in addition to its current assignment to the House Transportation and Infrastructure Committee. The fact that it was not also assigned to the Energy and Commerce Committee probably means that this bill will not actually get considered unless HR 2868 fails to make it into law. After all, that bill much more effectively addresses the security requirements of waste water treatment facilities that qualify as chemical facilities than does this bill. Of course, I may be wrong in this assessment. This bill was cosponsored by Chairman Oberstar of the Transportation and Infrastructure Committee.

CFATA Hearing Review

While I did get a chance to watch the CFATA hearing before the House Homeland Security Committee on Tuesday (as my TWITTER followers know) I have had limited opportunities to sit down and put my thoughts and observations together. So, better late than never, here is what I thought about the hearing. The Witnesses The first panel to testify was the dynamic duo from DHS, Deputy Under Secretary Philip Reitinger, and the Director of Infrastructure Security Compliance, Sue Armstrong. All kidding aside the two did provide good representation for the Department. Mr. Reitinger provided the high-level, policy responses while Ms Armstrong provided detailed responses about the current CFATS program. Interesting note: Committee Members did have problems with titles for these two witnesses; more than one promoted Ms Armstrong to Under Secretary. The second panel was not the balanced, pro and con, collection that one typically sees in policy discussion hearings. Chairman Thompson had three high-level opponents to many of the CFATS provisions; Vice President Marty Durbin of the American Chemistry Council, Dr. Neal Langerman representing the American Chemical Society, and Martin Jeppeson the Director for Regulatory Affairs for the California Ammonia Company. There was one semi-advocate for inherently safer technology (IST). Assistant Dirctor Paul Baldauf of the New Jersey Department of Environmental Protection is responsible for the implementation of the New Jersey IST program, but is not one of the nationally known proponents of the IST program proposed in CFATA. It looked like Chairman Thompson was bending over backwards to give his opponents their day ‘in court’. Unusual Bipartisan Opposition While Chairman Thompson included a comment about his hope to be able to continue to build bipartisan support for legislation that has been a hallmark of the Committee during this session, he was hit almost immediately with a comment by the Ranking Member, Congressman King (R,NY) supporting President Obama’s call for a one year extension of the current CFATS regulations. The other Republicans on the Committee that were present were unanimous in their support for the President’s position. Mr. Reitinger confirmed that the Administrations inclusion of the one year extension for CFATS in their budget request was put their to allow DHS to fully implement CFATS and then work with Congress to make any necessary changes. This contradicted Chairman Thompson’s brief contention that the one year extension in the budget was a back-stop to make sure that CFATS would not expire if Congress did not pass reauthorization legislation before October. A New Controversy Before this hearing the main controversy with the proposed reauthorization language was the inherently safer technology (IST) provision that the Democrats had been trying to include in the security regulations since 2005. While there was some perfunctory discussion of IST during the hearing, the bulk of the discussion centered around the new provision to make its way into this year’s bill, §2116 Citizen Lawsuits. This provision would allow people without direct legal interest in the matter to sue in Federal District Court to enforce provision of the bill. Not unexpectedly, the industry representatives on the panel and the Republican members of the Committee were adamant in their opposition. They were joined, again, by Deputy Under Secretary Reitinger. In his opening statement he explained that the Department “has significant concerns with the citizen suit provision” (pg 6 ) included in the legislation. Under questioning, he refused to go into the details of that concern because the Department had not had adequate time to review the legislation that had just been introduced the evening before. Other Interesting Data While most of the hearings of this type are necessary political theater with no one really listening to the questions or answers there were a few interesting tidbits of information that did come out. As one would expect these items came from Ms Armstrong:
Tier 2 notification letters would go out by the end of this month. The first Tier 1 facility inspection would take place in 1 Qtr FY 2010. DHS S&T people are currently doing a literature search on IST technology. There have been 365 full and 135 partial MTSA exemptions claimed under CFATS.
There was one interesting policy suggestion made by Mr. Pascrell (D, NJ). He suggested that DHS might consider allowing state enforcement of CFATS. It will be interesting to see if this makes it into one of the proposed amendments to this legislation. There was little heat in the discussions, but there was very little exchange of ideas. This is too typical of Congressional hearings. Representatives ask questions, but do not really listen to the answers. They especially do not listen to the questions (and responses to those questions) asked by other Representatives. I will give all of these witnesses credit though, there were attempts to answer each of the questions asked instead of responding with talking points.

RBPS Guidance – RBPS #4 Deter, Detect and Delay

This is another in a series of blog postings that will provide a close-up look at the RBPS Guidance document. DHS recently released this document to assist high-risk chemical facilities in meeting the risk-based performance standards required for site security plans under 6 CFR §27.230. The other blogs in the series were the: Risk-Based Performance Standards Guidance Document RBPS Guidance – Getting Started RBPS Guidance – RBPS #1 Restrict Area Perimeter RBPS Guidance – RBPS #2 Secure Site Assets RBPS Guidance – RBPS #3 Screen and Control Access This posting looks at RBPS #3 which covers the facility’s ability to deter terrorists from attempting attacks on the facility, detecting an attack or potential attack early enough in the process to allow for early interdiction of the attack, and delaying an attacker from reaching critical assets long enough for security forces to get into place to interdict the attackers before they reach and successfully attack critical assets. Security Measures There are no security measures discussed in this RBPS that were not previously discussed in RBPSs 1, 2 or 3. Security Considerations The discussion of security considerations in this RBPS covers the same ground that was discussed in the three earlier RBPS. Metrics While the security measures and considerations for this RBPS have been previously discussed, there are some significant differences in the focus of the metrics for this RBPS. The Tier 1 Summary Metric focuses on “a series of protective security layers” that allow the process of deter, detect and delay to “allow response to thwart the adversary action before it achieves mission success” (pg 55) and only security measure that it specifically mentions is vehicle barriers. Metric 4.1, Deterrence and Delay (General), introduces a new concept not emphasized in previous RBPS; “well-coordinated security response planning”. This reflects the realization that any security system can be penetrated by a sufficiently determined opponent. This means that there must be a well planned and coordinated response to interdict that determined opponent. The focus of Metric 4.2 is on preventing vehicle borne attacks on critical assets at the facility through the use of anti-vehicle barrier systems. The Detection Monitoring and Surveillance Metric (4.3) delves into the detection and surveillance system in much more depth than was done in earlier RBPS. While the discussion in Tiers 1 thru 3 focuses on electronic systems, the Tier 4 discussion specifically mentions using security patrols to affect the detection, monitoring and surveillance tasks. The other tiers focus more on all weather system capability, back-up power, and independent systems not subject to common cause failures. Metric 4.4 focuses on detection and mentions ‘countersurveillance’ and “frustration of opportunity to observe critical assets” (pg 58) for the first time. The discussions for the two highest tiers also mention the use of a “Security Operations Center” to continuously monitor a “facility-wide intrusion detection system”. The final metric, 4.5 – Interdiction by Security Forces or Other Means, was one of the most controversial in the draft version of the Risk-Based Performance Standard Guidance document because it firmly suggested the use of armed security forces. The discussion of the interdiction of ‘armed intruders’ still includes the potential use of a facility security force (described as “contract or proprietary, mobile or posted, armed or unarmed, or a combination thereof “ pg 58) it does place equal emphasis on the use of “sufficient delay tactics to allow local law enforcement to respond before the adversary achieves mission success” as an acceptable alternative. The other alternative that is addressed is the use of “process controls or systems that rapidly render the critical asset nonhazardous even if a breach of containment were to occur” though this is unlikely to be a widely useable option.

HR 2868: Citizen Suits

The hearing earlier this week on the Chemical Facility Anti-Terrorism Act (CFATA) of 2009 showed that there was something worse, from the chemical industry’s point of view, than mandatory IST requirements. This year’s legislation added §2116, Citizen Suits. Essentially, this section adds the potential for law suits initiated by private citizens or activist groups to enforce provisions of the legislation. This provision has a history in the environmental and product liability arena. It has the advantage, particularly in those arenas, of adding additional eyes to a regulatory regime with an extensive history of limited and weak enforcement. Because these types of law suits are expensive and there are limited provisions for reimbursement, the actual number of law suits filed has been relatively small. It is interesting that we had heard nothing about this provision until the April 3rd committee draft became available (which I didn’t see until the end of May). It was certainly not in last year’s bill. Furthermore, it hadn’t been discussed in any of the CFATA advocacy letters or articles that I have seen. So the obvious question is why did it appear now, out of whole cloth? I am not the first to ask this question (see the article by Carter Wood at PointofLaw.com) nor will I be the last. But, I do have a possible answer. I certainly cannot read Chairman Thompson’s mind, but I would not be surprised to hear that it was the fiasco in Institute, WV earlier this year that provided the impetus to adding this provision to CFATA. I would be willing to bet that one of the first actions brought under this provision (if it remains in the legislation) would be against Bayer CropScience for failure to reduce the risk of a terrorist attack by eliminating the very large methyl isocyanate storage tank. I also suspect that it would be filed way too prematurely to do any good. Not Too Useful? The Carter Wood article makes the point that, because of information security restrictions, it will be very difficult for an outside person or organization to have an adequate source of data to bring action under these provisions. As Chairman Thompson pointed out a number of times in Tuesday’s hearing, this section does nothing to lower the prohibition about sharing ‘classified’ information. This is certainly a good point, and it will lower the number of potential law suits. On the other hand, Chairman Thompson has specifically written into various points in the legislation provisions where facility management is required to share detailed and complete information with a natural adversary, organized labor. It does not take much of an imagination to predict that the majority of non-nuisance law suits filed under this section will be initiated by labor unions. They will be the only organizations with legal access to all of the data necessary to have a chance to prevail. I am not so sure that I am convinced that this is entirely a bad thing. Now I have been fortunate to work in chemical facilities where management took a proactive interest in safety and responded with real interest to safety suggestions made by hourly employees and low level salaried minions like myself. One does not have to pay real close attention to the news to see that my experience is not universally shared. Whether it is due to incompetence, venality, or simply running a shoe string operation, there are apparently a significant, if not necessarily large, number of facilities that do not even try to maintain the facade of concern for safety or security. Unless Congress comes up with significant increases in the manpower budget for DHS inspectors, the agency is going to have a hard time weeding out these facilities and still provide reasonable assistance and oversight to the vast majority of companies that legitimately want to do the right thing. If labor unions and Local Emergency Planning Committees (who will have access to some security data) can use §2116 to shine a light into these shadow facilities and identify some serious security shortcoming, then I think that the cost of the few short-lived frivolous law suits will be worth bearing. Besides the provisions for awarding legal fees and experts fees to the prevailing or the “substantially prevailing party” {§2116(f)} should help to limit entirely frivolous suits. Security Information Protection Witnesses from both DHS and industry raised concerns during this week’s hearing that the typical discovery process would inevitably lead to the inadvertent disclosure of sensitive security information. They were not convinced that the standard information protection scheme outlined in this regulation would necessarily be equal to the task. I think that these concerns are legitimate if possibly overstated. This could easily be remedied by adding wording that specifically prohibits the disclosure of any information described in §2110(g) during the discovery process. While this won’t completely stop the unintentional leaking of sensitive security information during these proceedings, it will certainly reduce it to mere seepage. A Barrier to Bipartisan Support for CFATA It was obvious in Tuesday’s hearing that the inclusion of §2116 in CFATA is currently one of the barriers to the bipartisan support for this bill that Chairman Thompson would like to see. From the tone of the Chairman’s comments during the hearing it is unlikely that this section will be removed from the legislation. I think that adding language in the bill, and in the Committee report on the bill, making it clear that the intent of Congress was not to lessen the legitimate protection of sensitive security information during proceedings under this section would go a long way to addressing the legitimate concerns about the inadvertent disclosure. That may be enough to allow for some bipartisan support.

Wednesday, June 17, 2009

More Chemical Security Legislation – 06-17-09

This seems to be the week for chemical security legislation. A quick search of the Thomas.LOC.Gov web site reveals that there were at least two other chemical security related introductions so far this week. Neither bill is available yet on the GPO site so no real details are available. Here is what I do know: HR 2883 Title: To amend the Federal Water Pollution Control Act to provide for security at wastewater treatment works, and for other purposes. Sponsors: Rep Johnson, Eddie Bernice [TX-30], Rep Filner, Bob [CA-51], Rep Napolitano, Grace F., Rep Oberstar, James L. Referred to: House Transportation and Infrastructure (6-16-09) S 1274 Title: A bill to amend title 46, United States Code, to ensure that the prohibition on disclosure of maritime transportation security information is not used inappropriately to shield certain other information from public disclosure, and for other purposes. Sponsors: Sen Rockefeller, John D., IV [WV] Referred to: Senate Commerce, Science, and Transportation (6-16-09) Note: If there were any justice this would be called the Bayer CropScience Bill.

HR 2868 Markup Hearing Scheduled

The House Homeland Security Committee last night announced that it would be holding a Full Committee Markup Hearing for HR 2868, the Chemical Facility Anti-Terrorism Act (CFATA) of 2009, on Thursday, June 18th at 10:00 am EDT. A web cast of the hearing will be available live. If there was any doubt in anyone’s mind that Chairman Thompson intends to get this bill through the House this summer, this move will quickly disabuse them of that doubt. To be fair there were a number of hearings held last year on the topic and it has been a routine matter for the House to look at since October of 2006. What will be interesting to see tomorrow is how far Congressman Thompson will go in allowing the Republicans to modify the bill to get a bipartisan consensus backing the bill before it goes to the Energy and Commerce Committee for hearings. Chairman Thompson remarked in yesterday’s hearing that he hopes to get at least one Republican co-sponsor for the bill. It appears that the main points of contention for the Republicans will be IST and the Civil Suit language that appeared in the bill for the first time this year. I would be surprised if Thompson were to allow those provisions to be removed from the bill, but some sort of compromise language may be possible to get bipartisan support.

HR 2892, DHS Appropriations, Status 06-17-09

The bill number is now available for the House version of the DHS Appropriations Bill, it is HR 2892. The Thomas web site does have a viewable version of the bill, but you cannot download a copy of the entire bill. Trying to get the GPO print of the bill comes up with an error message as does trying to get a copy of the House Appropriations Committee report (H. Rept. 111-157). Since this bill was filed after 5:00 pm EDT yesterday, I am happy to see what is available. The GPO problem should probably be fixed by late today or tomorrow. What I can tell at this point is that the §548 language extending the current CFATS authorization until 10-04-10 remains in the legislation.

HR 2868 Analysis

As I noted yesterday, Monday afternoon Chairman Thompson announced the introduction of HR 2868 (actually that announcement was of the “June 15 version of discussion draft”). Since HR 2868 is available on the GPO website (access through the Thomas Website) I downloaded a copy and compared it to the draft version that I have (06-04-09 version). I have found 24 distinct changes in the two versions. Most of the changes are not significant, but there are a few that are worth looking at. No Title II The June 4th version of the committee draft included a two line mention of Title II: Community Drinking Water Systems and that is not shown in HR 2868. Presumably the original intent was that the House Energy and Commerce Committee would be writing the Title II requirements for adding requirements for the EPA to produce rules to secure the hazardous chemicals at water treatment plants. I expect that this is still being done, but it will be a stand alone bill. One interesting point is that HR 2868 will remove all of the §550 (Homeland Security Appropriations Act of 2007 Public Law 109-295) language from the Homeland Security Act. This removes the water treatment facility exemption from the CFATS program. Since I cannot find any language in HR 2868 that exempts those facilities from CFATA 2009, those facilities will presumably be covered. I expect that the yet to be introduced water treatment facility security bill will change that. That may be a ‘risky’ move, since failure to pass that bill will put water treatment facilities under the ‘control’ of DHS. Both Chairman Waxman and Congressman Markey are co-sponsors of this bill, so I expect that they know what they are doing. Another New RBPS CFATA has always included a ‘new’ risk-based performance standard; methods to reduce consequences of a terrorist attack (the popularly named ‘IST’ provision). HR 2868 adds another new RPBS; §2101(2)(T), methods to recover or mitigate the release of a substance of concern in the event of a chemical facility terrorist incident. I am a firm believer that any emergency response plan for a chemical facility should address methods to mitigate a release of hazardous chemicals. It only makes sense then that high-risk chemical facilities should include this mitigation as part of their SSP. One point that has not been included in the discussion of the time frame for implementation for CFATA is that these two new RBPS will require a re-write of the RBPS Guidance document. That cannot really begin in earnest until the final rule is published. Both of these new RBPS will mark a completely new area of concern for the document and this could easily add another year to the implementation process. This Guidance document re-write may be more extensive than just adding two new RBPS. Since the § 550 language is being removed, there will no longer be the statutory prohibition of DHS specifying specific security measures. While I have seen no other discussion of this issue, there is a natural tendency for regulatory agencies to ‘regulate’ so some of the security measures that DHS has been ‘urging’ may slip into being required. Alternative Security Program There has been a subtle word change in §2103(d)(1). The old language stated that the Secretary may accept an ASP “in lieu of all or part of the requirements of a security vulnerability assessment and site security plan otherwise required under this section”. The new wording allows the Secretary to accept an ASP “in combination with other components of the security vulnerability assessment and site security plan”. This makes it more explicit that DHS will require that parts of the CSAT tools be completed for the SVA or SSP submission even when an ASP is being submitted. This is actually the current case, but this explicitly requires this to happen. Personnel Surety Alternate Security Program HR 2868 adds a new section, §2103(d)(4), that allows for “a personnel surety alternate security program”. There is an interesting limitation to this ASP; the wording requires that the application must come from “a non-profit, personnel surety accrediting organization acting on behalf of, and with written authorization from, the owner or operator of a covered chemical facility”. I do not understand why this excludes commercial organizations that are doing background checks. There are three other limiting restrictions included in this section. The first is nearly meaningless since the Secretary would not presumably be able to evaluate if the process is “expedited, affordable, reliable, and accurate”, but the individual facility has an incentive to ensure this. The final restriction, “is a single background check consistent with a risk-based tiered program”, will also be difficult for the Secretary to evaluate and there is no real incentive for the facility to enforce this. The middle restriction {§2103(d)(4)(B)} is probably the most important from the individual’s point of view. This requires that the process is “fully protective of the rights of covered individuals through procedures that are consistent with the privacy protections available under the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.)”. This, unfortunately, will be equally difficult for the Secretary to enforce unless there is a vetting process established to ‘approve’ these agencies in advance of their use by facilities. This vetting process could certainly be written into the resulting regulations. Training Requirements There are three additions to the training program requirements. The first, §2103(f)(2)(G), requires that ‘employee representatives’ are involved in the selection of ‘existing national voluntary consensus standards’ that are used in training. This is undoubtedly being used to encourage the use of training programs developed by a variety of labor organizations. The other two additions increase the items that must be covered in the training. Section 2103(f)(2)(J) requires coverage of the “identification and assessment of methods to reduce the consequences of a terrorist attack”. This is being done to ensure that employees have a chance to ‘verify’ that the employer has looked at all appropriate IST possibilities. Finally §2103(f)(2)(K) requires that there is a “discussion of appropriate emergency response procedures”. Anyone with any sense would train employees on ‘emergency response procedures’, but I’m sure that there would facilities would overlook this if it were not for it being included in a DHS compliance checks. It certainly isn’t being checked in OSHA or EPA compliance inspections. Threat Information There was an addition made to §2106(a). This section requires that the Secretary is to provide covered facilities with information about any terrorist threats relative to that facility. The addition requires the Secretary to provide that information to “a representative of each recognized or certified bargaining agent at the facility, if any.” I think that this is being done to insure that facilities take threat information seriously. The only problem that I see with this, and many of the other sections that require sharing of information with ‘employee representatives’ and/or employees, is that this extends the number of people that must be vetted and cleared for access to the information. There is already a problem of lack of security clearances in the private sector hampering the sharing of classified intelligence information. It will also inevitably set up labor disputes when designated labor representatives cannot be cleared for some reason. It would seem that the intent of this language is that ‘employee representatives’ receive the same information as management. If DHS treats the requirement that way and refuses to share intelligence information with properly cleared management because there are no properly cleared ‘employee representatives’ then this will hamper security efforts.

Tuesday, June 16, 2009

Senate App Comm to Markup FY2010 DHS Appropriations

According to the Senate Appropriations Committee web site both the Homeland Security Subcommittee and the Full Committee will hold markup hearings this week on the Department of Homeland Security FY2010 Appropriations Bill. The Subcommittee Hearing will be chaired by Sen. Inouye (D,HW) on June 17th at 2:00 pm EDT while Chairman Byrd is in the hospital. The Full Committee Hearing will be held on June 18th at 3:00 pm EDT.

TSA Corporate Security Review ICR

A notice published in yesterday’s Federal Register indicates that the Transportation Security Administration intends to resume it Corporate Security Review (CSR) program for the “trucking, school bus, and motor coach modes of the surface transportation sector” (74 FR 28264). The Notice was an information collection request (ICR) for the reinstatement of OMB Control Number 1652-0036. The CSR program used site visits and interviews to collect information on voluntary security programs in these three modes of surface transportation. As many as three TSA inspectors conduct these interviews. Typical interviews last two to three hours and cover “eleven topics: Management and oversight of the security plan, threat assessment, criticality assessment, vulnerability assessment, personnel security, training, physical security countermeasures, en route security, information technology security, security exercises and drills, and a hazardous materials addendum.” One of the purposes of this ICR Notice is to collect information from the public to allow the Office of Management and Budget (OMB) to evaluate the proposed information collection to ensure that it serves a practical government purpose and minimize the burden on the public entities providing the information. Interestingly, TSA estimates that the 1200 hours of interviews that will be conducted at 400 facilities in the typical year will cost those entities $0.00 (74 FR 28265). Comments on the ICR can be mailed or delivered to:
Ginger LeMay, PRA Officer Office of Information Technology Transportation Security Administration 601 South 12th Street Arlington, VA 20598-6011

SSP Submission – RBPS #3 Screen and Monitor

This is another in a series of blog posting on the recently released Site Security Plan Instructions Manual and Questions Manual. The other blogs in this series are: Preparing for SSP Submission SSP Submission – Facility Data SSP Submission – Facility Security Measures SSP Submission – RBPS #1 Restrict Area Perimeter SSP Submission – RBPS #2 Secure Site Assets This posting looks at the SSP sections that deal with Screening and Monitoring access to the facility. Questions for this RBPS may be found in both the Facility and Asset level sections of the SSP. If the facility has indicated that there are asset specific security provisions at the site, they will be asked if there are RBPS #3 measures for each of the identified assets. An affirmative answer will require the answering of a series of questions about those measures. Screening Questions The first real question asks about the general level of screening conducted at the facility. With answers ranging from all vehicles and personnel entering the facility to no screening, it seems to be fairly easy to select an appropriate response. One slight draw back; the answers assume that similar levels of screening are being done for both personnel and vehicles. If one is being required to undergo a significantly higher level of screening than the other, use the “Other” response and explain the situation in the provided block. Then there will be individual questions about the use of screening on inbound and outbound vehicles and personnel. An affirmative answer to any of these questions will bring up additional detailed questions about how that screening is performed. The first question in the series asks about the methods used to perform the screening with four possible answers:
Not allowed on site Cursory inspection Random inspection Not applicable
These answers do not appear to include 100% screening, but that is misleading. If the facility were to select ‘Random inspection’ the subsequent question asking about the frequency of inspection includes an answer of ‘100%’. Thus a facility that does 100% screening should select ‘Random inspection’ for their response to the initial question. There is a special area for ‘Inbound Trucks and Railcars’. It is not clear from the information available in the Questions Manual whether these questions are limited to tank trucks and tank cars or if they also include dry-box trucks and rail cars. Looking at the earlier questions about inbound inspections, there are questions about inbound ‘delivery vehicles’ which could include dry-box trucks picking up shipments. I would probably tend to answer questions about dry-box trucks under the ‘delivery vehicle’ question and any boxcar rail shipments under the ‘Inbound Trucks and Railcars’ question. I base this assumption on the fact that both types of railcars are required to be inspected before loading under TSA rail security regulations (49 CFR §1580.107(a)) if they are being loaded with Rail Security-Sensitive Material. For facilities with Theft/Diversion COI there will be a series of question about inspections of outbound vehicles. It may seem strange to see the question about POV (personally/privately owned vehicles) outbound from ‘Theft COI Areas’, but this would be an appropriate question if POVs were allowed to be parked near warehouse areas where Theft/Diversion COI are stored or loaded onto trucks. If one of the vehicle types addressed in this section is not allowed to be parked near an area where Theft/Diversion COI are stored or handled, the appropriate answer would be ‘Not Applicable’. Similar questions are asked for a variety of personnel and their hand carried items. Again, there are separate questions for inbound and outbound inspections. The answers to these questions are essentially the same as those answered for vehicle inspections. Identification Verification The other area included in this section deals with the procedures that the facility uses to verify the identity of personnel entering the facility. The first set of questions in this section concern ‘General Identification Methods’. Two of the questions in this section seem to be out of place since they ask about checks of vehicles and hand carried items to prevent “the introduction of weapons, explosives, drugs, etc. into the facility” (pgs 116-7, Questions Manual). These questions were dealt with in great detail in the earlier ‘Screening’ section of the SSP. Most of the questions are fairly straight forward items asking about procedures for checking identification and the uses of badges and passes. One question seems a little bit odd in the way it is presented. On page 120 of the Questions Manual there is a matrix that looks at the types of badges and passes that might be used on one axis and the people that might be required to use those badges and passes on the other axis. Where the columns cross you find the typical ‘Yes’ and ‘No’ buttons. This is a an economical way of presenting these questions. The odd thing is the last entry on the ‘personnel’ axis; ‘N/A’. The only thing that I can think of is that a check in the ‘Yes’ box in the ‘N/A’ column automatically marks ‘No’ for all of the personnel responses for that ID type. Access Control System While Access Control Systems (ACS) are technically part of the ‘identification verification process’ they do deserve their own unique discussion. I was disappointed that Access Control Systems were not addressed in the RBPS Guidance document, but they are addressed here in the SSP. Unfortunately, from the information presented in the Questions Manual, it is not possible to tell if there will questions on the use of ACS in the asset security portion of this RBPS section. There are a similar series of questions to those seen in the CCTV and Alarm Systems section of the RBPS #1 questions. They ask where the ACS will be ‘controlled’, ‘administered’ and ‘monitored’. The way the ‘monitored’ question is presented (a ‘Yes’/’No’ choice for each location) that multiple answers to that question are expected. I have the same complaints about the lack of explanation for the distinction between ‘controlled’ and ‘administered’ that I expressed in the SSP RBPS #1 posting. Vehicle Restrictions The vehicle restrictions section of the RBPS #3 portion of the SSP looks at how the facility controls the movement of vehicles into and within the facility. This section uses a term that is derived from the design of European Castles; the ‘sally port’. In castle construction this was an area between the inner and outer walls of the castle where a force could assemble to ‘sally forth’ and conduct their counter attack It was distinguished by two sets of gates; one in each wall. In modern security usage it describes a protected area where an inspection can be conducted between two closed gates. Under high-threat conditions only one gate will be opened at a time. This section also includes questions about parking areas on and off site. There are questions about the parking situation allowed for a variety of classes of vehicles, including employee, contractor and visitor POVs. The other class of vehicles listed is ‘Delivery’ vehicles, so I guess this covers both pick-up and deliveries (answering a question earlier in this posting). One class of vehicles that is missing from this section is ‘Service Vehicles’; those vehicles driven by a wide variety of vendors that make deliveries and provide technical services at high-risk chemical facilities. They may include uniform, food and office supply vendors that do not typically make their deliveries to normal loading docks. They may also include a wide variety of technicians providing service to a wide range of specialty equipment. This may be especially critical since these vehicles are frequently parked in or adjacent to operational areas of chemical facilities.

Homeland Security Committee Publishes Draft legislation

Breaking News> This just happened last night and I just now heard the details. I’ll provide the links that I have and will analyze and report later June 15th Version of Committee Draft for CFATS Reauthorization .PDF - http://homeland.house.gov/SiteDocuments/20090615161831-07224.pdf Section by Section Analysis (HS Committee Staff) .PDF - http://homeland.house.gov/SiteDocuments/20090615161723-09134.pdf Chairman Thompson Press Release - http://homeland.house.gov/legislation/index.asp?ID=460&SubSection=0&Issue=0&DocumentType=0&PublishDate=0

Monday, June 15, 2009

STB Decision on UP Petition

Last week I briefly noted that the Surface Transportation Board (STB) had issued a declaratory order in response to the Union Pacific petition that I have been following in this blog. That order clarified the requirement that UP has an “obligation to quote common carrier rates and provide service for the transportation of chlorine for the movements at issue in this case” (pg 1). Board Discussion STB starts off their discussion of the petition by noting that this declaratory order is being issued “to provide guidance concerning the extent of the common carrier obligation to transport hazardous materials by rail under the facts presented here [emphasis added]” (pg 3). In a footnote (footnote 12) to that comment the Board further notes that they have the authority to “determine whether the terms and conditions under which railroads transport TIH materials are reasonable”. The Board also notes that there “is no dispute that USM made a request for common carrier rates and that UP did not provide requested rates” (pg 4). They further note that “the common carrier obligation requires a railroad to transport hazardous materials where the appropriate agencies have promulgated comprehensive safety regulations”. Finally they note that while carriers may seek the imposition of stricter safety standards, the burden of proof lies on the carrier to show that those “regulations are unsatisfactory or inadequate in their particular circumstance”. Having established the standards that UP would have to sustain to prevail in their petition, the Board looks at the actual petition. The Board notes that while UP alleged that there were adequate closer supplies of chlorine available for the destinations listed in their petition, they failed to substantiate those claims while industry comments indicated otherwise. UP raised safety issues in their petition but, according to the Board, failed “to establish that the transportation at issue is unsafe” (pg 5). In fact, the Board noted that UP had “moved chlorine for USM to two of the denied destinations in the last 2 years”. Finally, UP suggested that honoring “USM’s requests may conflict with TSA and FRA [security and safety] policies”. The Board notes that comments filed by the Transportation Security Administration in this case stated that “the risks of transporting chlorine by rail are appropriately mitigated and such movements can take place without posing unnecessary safety and security risks” (pg 6). Having that statement on the record, the Board refused to substitute their “safety and security judgments for that of DOT and TSA” in this case. In short, the Board found that “UP has not shown that USM’s requests for rates and service are unreasonable.” This was the basis for their decision against the UP petition. Practical Affects of Ruling This certainly does not end the controversy about surrounding the common carrier obligation to carry TIH chemicals. It does establish the standards that will be used to examine future claims similar to ones filed in the UP petition. One claim that the Board specifically did not include in their ruling was the liability issue raised by the American Railroad Association in their comments on the petition. In a footnote (footnote 21) the Board noted that claim and wrote: “The Board recognizes that the issue of liability and indemnification exists with regard to the transportation of chlorine and other TIH materials” (pg 5). Since UP did not raise the issue in their petition, the Board could not consider it in their ruling. These issues, liability and indemnification, will be the next major fight in the ongoing conflict between railroads and shippers on common carrier obligation of carriers to provide transportation of TIH chemicals like chlorine and anhydrous ammonia.

Reader Comment - 06-14-09 - Discussion on Assets

The following response from a reader in DHS explains how they came up with the way they are dealing with assets in the SSP. This is a very thoughtful response and I am happy to include it in its entirety and unedited (though I did add a link to the referenced posting). Obviously without knowing who the writer is, the readers of this blog will have to make their own decisions as to how authoritative this is. I am completely satisfied that this explanation is a good description of how at least a significant portion of DHS looks at the issue. Without further introduction: I read the reader comment and your comment on the comment having to do with Identification of Assets. Let me try to clarify a bit… The SVA did ask owner/operators to identify assets and to provide some basic information on them. In the context of the SVA, we were looking for information that would contribute to a more detailed understanding of Consequence – in other words, where and in what are your COIs? The questions about assets were spun that way, and for the most part, respondents got that we were looking for “asset” information that would allow us to refine our understanding of consequentiality. Hence, in most cases, the “assets” submitted were tanks, tank farms, warehouses, and in many cases, actual COIs themselves, especially when all a facility’s COI was in a single cylinder or small group of cylinders. The bottom line is that the “asset” information collected under SVA is of little utility (in most cases) for understanding vulnerability – it was intended to give us a much fuller understanding of consequence. In context of the SSP, we are looking for information that informs our understanding of vulnerability. Therefore, we are looking for “asset” in a different sense. (We are well aware that we could have worded things a little better, but what is done is done.) In the SSP process, we are looking for a facility to provide security (and safety, mitigation, response, if those things effect either vulnerability or consequence) information on each component, area or capability on the facility (or elsewhere, in some cases) the effects the consequences and/or vulnerability of a COI or other potentially hazardous chemical. That is a mouthful. Let’s break it down. An asset in the SSP context is anything – a system, structure, even a capability. In identifying assets, a facility should ask itself these questions: Where are my COIs located? The physical structures that are holding and processing COIs are assets that should be included. The decision as to how far down to break a system into constituent assets belongs to the site, however, it is in their interest to break it down enough so that assets with different measures being applied to them are separated. For example, if a caustic and chlorine unloading unit has cameras on the unloading station and in the storage tank area but not on the rail siding where cars are parked, they may want to break the CCL unit down into three “assets” – rail siding (no credit for CCTV) and unloading stations (yes credit for CCTV) and storage tank farm (yes credit for CCTV + yes credit for secondary containment). If there is one big dike around the whole unit, and it is all covered by CCTV, then the “asset” might just be the CCL Unit. What Assets affect my COI especially in terms of vulnerability and consequence? The physical security measures not DIRECTLY associated with COI also ma tter – the gates, perimeter, cameras, lights, etc. that make up the macro security for the facility. Again, systems should only be broken down to the extent that they must be to differentiate between impact the different components have on vulnerability and consequence. So a facility may declare its perimeter as an asset, or conversely, it may break it down into the barrier, active gates, and inactive gates if the structure and measures in place are varied for these different elements. The same goes for power substations, utility feeds, computer systems, personnel departments, and so on. There are a few things that a facility really needs to do in order o get an SSP right or close to right on the first try. These are – Plan – including reading all the instructions and guidance docs, and assembling the right team. Identify the right assets – figure out what you have the effects either the vulnerability or the consequentiality of your COIs, number them, and circle them on your site diagram. These are your “assets” for the SSP. Be detailed. Think of this from our perspective. Anything we are not told – well, we will have to make assumptions, and they will almost always be unfavorable. So, if someone says “Fence – yes” but gives us no other information, we will have to assume it is one of those silt fences that you see around construction sites, and may be falling down at that. If someone says “Fence – yes” and then puts in the text box – “11gague chain link meeting current milspec – 6’ on metal posts set in concrete, with 1’ foot triple strand barbed wire top guard on outriggers. Fence encircles 100% of active facility. 3’ clear zone inside (100%) and 4’ clear zone outside (100%). Full stone ballast, top rail and bottom wire. Complete maintenance contract with installer in place. Fence is broken by 5 gates, 1 active vehicle (guarded 24x7) 1 active rail (not guarded, controlled by site personnel) 2 active pedestrian with card controlled turnstiles, 1 inactive fire gate (joint control site personnel and local FD) - This fence is going to get the facility lots of credit for vulnerability reduction. We can see how the fence impacts vulnerability, and we can therefore give full credit. I know that’s a little much – sorry. I was trying to put the context around the issue of “asset”. One other tidbit that might help – Remember our basic equation, right? C x V x T = R C is consequence V is vulnerability T is Threat R is Risk We get a rough “C” from the top screen. Based on that, we either ask for more info or determine a facility is not at all likely to be “high risk” and we screen them out. We ask more info in the form of an SVA. From the SVA, we get a much more refined “C” and we also get a rough, opinion of the operator, “V’. Based on this info, we may (and often do) change the preliminary tier ranking and then ask for detailed security and security risk management info. That is the SSP. The SSP gives us a refined “V’. We add the “T” based on an internal process, and there you have it – a risk rating for each plant. The key of course is the veracity of the inputs. Virtually ALL the input data comes from the facilities themselves. Like all such systems, the better the info going in, the better the result coming out. The key for respondents is this – when we are not told something, we are forced to make assumptions, and we will make very conservative assumptions, as we must.

RBPS Guidance – RBPS #3 Screen and Control Access

This is another in a series of blog postings that will provide a close-up look at the RBPS Guidance document. DHS recently released this document to assist high-risk chemical facilities in meeting the risk-based performance standards required for site security plans under 6 CFR §27.230. The other blogs in the series were the: Risk-Based Performance Standards Guidance Document RBPS Guidance – Getting Started RBPS Guidance – RBPS #1 Restrict Area Perimeter RBPS Guidance – RBPS #2 Secure Site Assets This post looks at the third risk-based performance standard which deals with screening and controlling the access of personnel and vehicles into the facility or into restricted areas or critical assets within the facility. The discussion in this RBPS is predicated on the existence of a perimeter barrier system that allows entrance to the facility at only a limited number of controlled points. Security Measures The discussion in this section of the Guidance document focuses on five classes of security measures. They are: Personnel identification, Hand carried items inspection, Vehicle identification and inspection, Control point measures, and Parking security measures. Personnel Identification The Guidance document provides examples of a number of potential personnel identification schemes for verifying the identity of personnel entering the facility or restricted areas within the facility ranging from checking government photo identification (drivers license for example) to sophisticated facility provided ID cards that can interact with automated access control systems. The less sophisticated systems require that someone actually looks at the ID and compares it to a list of personnel authorized access. Not covered in the RBPS is the need to provide the security personnel at the gate with an daily list of personnel expected to arrive at the facility to make deliveries, pick-up shipments, or conduct other transitory business. The higher risk facilities may require their suppliers and customers to provide advance copies of photo IDs or other unique identifying information for their drivers delivering or picking up loads. Lower risk facilities may decide that just providing the driver’s name will be sufficient. Other, unexpected personnel not cleared in advance will need to require escorts to pick-them up at the gate. Privacy concerns will have to be addressed when keeping records of personnel entering the facility; the more identifying information provided the more problems that will arise. Facilities will need to establish firm rules for purging personal information and ensure that they are followed to the letter. Controls will have to be put into place to ensure that access to the personal information is strictly limited. Hand Carried Item Inspections This section of the RBPS #3 discussion points out that while all personnel should be subject to inspection, it is reasonable to subject visitors to a higher level of inspection than trusted (and cleared) facility employees. Many facilities will find that random more detailed inspections of employees’ hand carried packages will provide an additional level of security. The description of inspection techniques provided on page 43 naturally leads one to assume that the focus of these inspections is directed at finding explosive devices. While these would certainly be high priority search targets, facilities should also consider prohibiting/controlling people bringing cameras onto the facility. A visitor with a camera could be on a facility reconnaissance mission. Vehicle Identification and Inspections High-risk chemical facilities will need to inspect vehicles entering the facility. Depth and extent of the inspection may be adjusted depending on the vehicles. Just as in package inspections, employee vehicles probably will not receive the same level of inspection as unannounced delivery vehicles. While not addressed in the Guidance document, facilities with theft/diversion COI packaged in smaller containers may want to seriously consider searching outbound vehicles for such containers. Tight controls on those filled containers may reduce the necessity for checking vehicles, random checks will provide an additional layer of security. Control Point Measures The Guidance document describes a number of measures that can be used to control the flow of traffic approaching the facility and near critical assets within the facility. The control point measures outside the facility received some attention in RBPS #1, but they may also help position approaching vehicles in the optimum position for vehicle searches. Within the facility perimeter the vehicle control measures can help to keep unauthorized vehicles away from critical assets. They can also be used to control the movement of vehicles within the facility; making it unnecessary to require vehicles to be escorted when moving from the gate to loading and unloading facilities. Parking Security Measures The location of many facility parking lots was selected long before facility security became an issue; they are located within the facility perimeter. This creates a potential problem with controlling the movement of personal vehicles within the security perimeter. Limiting these parking areas to just employee parking may not be practical depending on the number of ‘visitors’ that the facility typically sees. Other traffic control measures to isolate the parking lots from critical facilities may be more appropriate. A parking area that is not directly addressed in the Guidance document is the area where trailers, both dry boxes and tank wagons, are parked when they are waiting for loading or unloading. Fully loaded trailers are very difficult to search adequately. This means that the parking areas for these vehicles must be kept away from critical assets in the facility. Allowing drivers and their tractors to remain with trailers for extended periods of time is going to create security problems. Unless the area is closely monitored, these drivers will have effective access to many areas of the facility where they do not belong. Providing separate parking area for the tractors of long-haul drivers physically separated from the facility and remotely monitored will be a good solution for many facilities. Other facilities may need to require these drivers to drop their trailers and leave the facility perimeter while they wait for loading or unloading to be completed. Security Considerations DHS continues to make the points in this standard that they did in the previous two; no single security measure will be adequate by itself. Layering security with complimentary measures and techniques will provide a much higher level of security. Differing environmental conditions must also be taken into account when planning for this standard; security needs to be effective in all expected situations. Metrics The metrics for this standard are all pretty straight forward with no concepts that weren’t introduced in either this section of Appendix C. Only one of the metrics, 3.2 – Identity Verification Systems, combines the suggested measures for two different tiers (Tiers 3 and 4). There is only one other metric, 3.3 – On Site Parking, that is not applicable to all four tiers; Tier 4 is listed as ‘N/A’.
/* Use this with templates/template-twocol.html */