Monday, June 1, 2009

SSP Submission – Facility Security Measures

This is another in a series of blog posting on the recently released Site Security Plan Instructions Manual. The other blogs in this series are: Preparing for SSP Submission SSP Submission – Facility Data While the two earlier sections of the Site Security Plan, Facility Information and Facility Operations, were extensive (and provided essential information to DHS) we are now beginning to look at the meat of the Site Security Plan (SSP); the Facility Security Measures. This section deals with equipment and procedures that are applied to security on a facility wide basis. While specific pieces of equipment may exist at only a single location in the facility, they provide some measure of protection for the entire facility. Facilities may also have security measures designed to protect a specific asset, but those will be covered in next section of the SSP, Asset Security Measures. Risk-Based Performance Standards The Facility Security Measures section of the SSP is organized around the Risk-Based Performance Measures (RBPS) specified in 6 CFR §27.230. Each of the 18 RPBS will be addressed in turn, starting with the Restrict Area Perimeter and ending with Records. Each RBPS will have to be addressed for every facility, but how a facility addresses any RBPS will depend on the facility. As each RBPS section is opened in turn, the first question that the Preparer will encounter is “Does the facility have any existing, planned, or proposed measures for RBPS X?” If the answer to that question is ‘No’, then that RBPS has been addressed and the facility may move on to the next RBPS. DHS will determine if ‘No’ is an adequate way to address that RBPS by looking at the totality of the SSP. “Failure to provide information about security measures relevant to a given RBPS may result in the need to submit a revised SSP and, in some cases, ultimately could lead to disapproval of a facility’s SSP” (pg 33). DHS does expect that most facilities will have security measures for most of the eighteen RPBS, either in the Facility Security Measures or Asset Security Measures section of the SSP. There are two exceptions to this general rule, RBPS 6 - Theft and Diversion and RBPS 7 – Sabotage. Facilities that do not have Theft/Diversion or Sabotage COI identified on their Final Facility Notification letter will probably not have security measures for these two RBPS. Security Measures If the initial question in the RPBS section is answered affirmatively, the Preparer will be able to access a number of questions about potential security measures that could support that RBPS. The first question for each security measure asks if the facility is currently using that security measure. “Facilities are required to list and/or describe existing security measures as part of Section 4 of their CSAT SSP submissions (pg 35).” There are a number security measures identified in each RBPS with a series of questions for each measure. Most questions are answered by selecting “Yes/No” or selecting from multiple choice answers. Most multiple choice questions include an ‘Other’ selection with space provided for a description of the answer. What does appear to be missing in the lengthy list of questions about security measures is a space for identifying unique security measures that are already in place. While the listing provided is certainly extensive, I would be willing to bet that there will be a significant number of facilities that will have found or developed security measures that are not included in the list. In some cases there these measures will be able to be squeezed into the ‘Other’ selection of existing questions. If a facility runs into such a situation I would suggest that they use the “Planned Measures” block to describe these measures and carefully describe that the security measure is already in place. The “Planned Measures” is included for facilities to list security measures that are not currently ‘in-place’ but have progressed to the point that they will be in place at some predictable point in the future. The facility must be able to document their commitment to completing the installation of the ‘planned measures’; “DHS may subsequently ask the facility to produce documentation confirming the planned measure” (pg 35). DHS may consider planned measures in their evaluation of the SSP. If the planned measure is required for DHS approval of the SSP, the Letter of Approval marking final approval of the SSP will not be forthcoming until the ‘planned’ security measure is actually installed. Security Measures Not Considered While DHS is requiring all current security measures to be included in the SSP submission, they did realize that there might be existing security measures that will be phased out as newer security measures come on-line. The problem is that the submitted and approved SSP will form the basis for subsequent DHS inspections of the facility. This means that the described security measures will then be required security measures. DHS has provided an area at the end of each RBPS section where facilities can explain what security measures that it does not want to be included in the approved SSP. DHS does note that “if a facility chooses to eliminate an existing security measure that is relevant to one or more CFATS RBPS, it is possible that the facility’s SSP, as submitted, may not satisfy the applicable RBPS” (page 36). Interestingly, there is no mention in the Questions Manual of a question about security measures that the facility does not want to be considered. Neither does the Screen Shots file show a picture of a screen with such a question. This is an unfortunate oversight. Proposed Security Measures The final question in each RPBS section deals with the issue of proposed security measures. These are measures that the facility is considering installing at the facility. There has been no firm commitment to have these measures in place, so DHS will not consider them in approving the SSP. The reason that a facility might want to include these potential security measures in their submission is that it DHS might not approve their SSP. These proposed security measures might allow DHS to say that: “No the current SSP is not approved, but if this proposed security measure were put into place, DHS would probably be able to approve the plan.” Instructions Shortcomings In my opinion there is one major shortcoming with the Instructions Manual; there are no instructions for the individual RBPS questions. While the RBPS manual provides some guidance on the items to be considered, there is a dearth of detailed information. The questions, however, contain a great deal of detail. In future discussions of the individual RBPS sections, I will identify those items that I think should have included additional information in the Instructions Manual.

No comments:

/* Use this with templates/template-twocol.html */