Friday, August 20, 2010

CFATS Inspections

There is an interesting article on about comments made by Dennis Deziel, acting director of the Infrastructure Security Compliance Division (ISCD), at the OPSEM2010 conference being held Austin, Tx. He told the conference that ISCD had conducted 80 on-site reviews of site security plans since the inspection process began in February. He also explained that the inspection rate is expected to increase to 30 to 40 per month. I have addressed the problems inherent in this type of inspection process. One of the reasons that the inspection process is being accelerated was identified by Deziel. He was quoted in the ICIS article as saying: “People are now starting to understand exactly what the expectations are, which helps us get quality site-security plans.” Increased Experience Level Part of the reason for this is the fact that many facilities are using a relatively limited number of security consultants to help them complete their CFATS process. This means that there is an unofficial spread of ‘lessons learned’ through these organizations. Subsequent facilities using these consultants benefit from the increased knowledge base about what DHS is actually looking for in their site security plan. Another factor that cannot be discounted is that the inspection teams are gaining experience in the process. Each time they enter a new facility they have a better understanding of what to look for, and what questions to ask. They also learn what other facilities have had success with so this adds to the suggestions that they can make. Helping DHS accelerate the inspection process is the continued increase in trained inspectors coming out of the Chemical Security Academy. Hopefully ISCD is rotating their new inspectors through experienced teams so that they can acquire the lessons learned by those teams. SSP Tool Problems One of the things that has impressed me with the CFATS process is the willingness of ISCD to take a hard look at what they are doing and make appropriate changes. The article quotes Deziel as saying: “That said, we realise (sic) that the site-security plan tool is not perfect, and there hasn’t been a lot of guidance given to facilities.” Part of the guidance problem is that DHS has bent over backwards to avoid looking like it was violating the §550 prohibition of mandating specific security measures. This brings up the interesting possibility of changes being made to the Risk Based Performance Standards Guidance document and/or the Site Security Plan Tool on CSAT. It is probably more likely to have the SSP tool changed since that doesn’t require any publication and comment period to implement. The RBPS Guidance does require a publication and comment period to implement significant changes. I have not heard any specific talk about these changes, but it would be typical for ISCD to update either of these documents to reflect the lessons learned in the process.

No comments:

/* Use this with templates/template-twocol.html */