VCAT Compliments CSAT

As I have hinted a couple of times this week, DHS has another security program for the vast majority of chemical facilities that are not determined to be high-risk facilities governed by CFATS. It is one of the better kept security secrets at DHS and you have to hunt around a little bit to find it. But it is designed to help those non-CFATS facilities that have some concerns about their security to identify and evaluate their security risks so that they can develop a cost effective security program. It is called, imaginatively enough, the Voluntary Chemical Assessment Tool, or VCAT.

Voluntary Chemical Assessment Tool 

It is run out of another office in the Office of Infrastructure Protection, the Sector-Specific Agency Executive Management Office. The VCAT was developed by the Methodology Technical Implementation (MTI) team in the Infrastructure Information Collection Division (IICD). It is an on-line tool that allows an owner/operator to “identify their facilities’ current risk level using an all-hazards approach, and facilitates cost-benefit analysis by allowing them to select the best combination of physical security countermeasures and mitigation strategies to reduce overall risk.” There is a real nice video that was shown at this summer’s Chemical Sector Security Summit that provides an overview look at the VCAT program. In general the program consists of four on-line modules:

● Assessment module collects relevant information necessary for analysis.

● Vulnerability Analysis module displays vulnerability level and prioritizes security measures.

● Risk Analysis module displays the current and projected risk score for the overall assessment, as well as for each threat and critical asset.

● Risk Management module provides the ability to assign and track the progress of proposed security measures.

The VCAT includes a list of potential security measures. The security team at the facility can use this list to play a variety of ‘what-if’ scenarios; plugging in a variety of combinations of security measures to see what effect they have on the facility risk level. This would allow the facility to pick the most cost-effective security measures for their unique situation.

The information put into the VCAT program will also aid the Chemical Sector Specific Agency to improve their infrastructure protection activities under the National Infrastructure Protection Plan. The collated information will be used to address facility assessments, response planning, risk mitigation execution and incident management activities across the chemical sector. The data entered into the VCAT is protected under the Protected Critical Infrastructure Information (PCII) rules. This means that DHS is prohibited from disclosing this information, even from Freedom of Information Act requests. Facilities wishing to learn more about the VCAT should contact DHS by email; chemicalsector@hq.dhs.gov.

VCAT Information Collection Request 

Interestingly enough, DHS filed a 60-day notice of their intent to submit an information collection request (ICR) to the Office of Management and Budget about the VCAT program earlier this week. The ICR estimates that it will take the average facility about 8 hours to complete the VCAT. I do find it slightly disturbing that they expect only about 50 facilities to complete the VCAT every year. Part of the problem here is that DHS is doing very little to advertise the VCAT program.

Comments and questions about this ICR will be accepted until November 13th. Comments and questions about this Information Collection Request should be forwarded to Amanda Norman, Program Analyst, DHS/NPPD/IP/IICD, Amanda.norman@hq.dhs.gov.