Monday, December 13, 2010

DHS Site Security Plan Helpful Tips

Last Friday I did a late blog posting about a new document that DHS had posted on its Chemical Security Assessment Tool (CSAT) web page for the Site Security Plan (SSP). That new document is the “Helpful Tips for Completing a Chemical Facility Anti-Terrorism Standards (CFATS) Site Security Plan” pamphlet. The tips are based upon the large number of SSP submissions that DHS has reviewed and the smaller number of pre-authorization inspections that the ISCD Chemical Facility Security Inspectors have conducted.

As I briefly mentioned in the Friday evening post, the Helpful Tips pamphlet addresses five principal areas that DHS has identified as needing additional clarification for facilities submitting SSPs. Those areas, or tips, are

• Appropriate Level of Detail
• Identifying Specific “Assets” and “Systems”
• Security Measures Appropriate to Specified Risk Levels
• Facility-Wide v. Asset-Specific Security Measures
• Year-Round View
As promised I would like to provide a brief review of this document. This is a review and should not be considered to be a substitute for reading the tip document. That five page document probably provides a better understanding of what DHS is looking for and it provides some concrete examples to illustrate these tips.

Appropriate Level of Detail

In this tip DHS points out that simply checking off the responses to most of the questions is not going to provide them with an adequate level of detail for them to determine if the listed security measures meet the risk based performance standards outlined in the RBPS Guidance Document. This is the reason that there are so many text boxes scattered throughout the SSP submission pages.

Those text boxes are designed to be used by the facility to provide detailed information on the referenced part of the SSP. Apparently too many facilities are either not using the text boxes or are providing a less than adequate level of detail when they are used. Two very important text boxes in each section of the SSP are the boxes for planned and future changes to the SSP.

Identifying Specific “Assets” and “Systems”

There apparently continues to be some confusion as to which assets and systems need to be addressed in the SSP submission. Part of this confusion seems to stem from the use of similar terms in the Security Vulnerability Assessment (SVA) and SSP. In the SVA the terms were used to describe COI specific critical ‘assets’ and ‘systems’. In the SSP DHS uses a more expansive description of these terms; identifying “all systems critical to the overall security and operations of the facility” (pg 2). Facilities will almost certainly have more systems described in their SSP than were identified in the SVA.

Security Measures Appropriate to Specified Risk Levels

The DHS tiering letter notifies the facility what risk-based tiering level has been assigned to the facility. These four tiers reflect the overall risk that the facility faces from a potential terrorist attack. The security measures that the facility puts into place must meet different standards outlined in the RBPS Guidance document based upon that tier level.

Additionally DHS may decide that certain chemicals of interest (COI) present a lower risk of terrorist attack than the overall facility tier ranking. In those cases the tier ranking letter will also provide a separate, lower tier level for that COI.

In this tip DHS reminds facility security management that security measures specifically designed to protect that lower tiered COI are only required to meet the RBPS standards for that tier level. But, any security measure that applies to the facility in general or additionally protects a higher tiered COI must meet the higher RBPS standards for that tier ranking.

Facility-Wide v. Asset-Specific Security Measures

The fourth tip essentially expands on the significance of the third tip. DHS has provided each facility with the ability to describe general facility security measures and measures that protect specific assets. In this tip DHS is suggesting that many facilities are taking less than appropriate use of this potential for differentiation.

Larger facilities and facilities with multiple COI need to consider if describing asset specific security measures will make it easier to provide the level of detail that ISCD will need to evaluate the SSP. Additionally, with some assets requiring lower levels of protection, the facility might find that is can lower its security costs by adopting measures more appropriate to the tier ranking for that COI.

Year-Round View

In this tip DHS notes that security requirements for a facility might vary during the year, with some periods requiring additional security measures. Rather than providing adequate security year-round for these specific instances of increased risk, DHS suggests that a base level of security be addressed in the bulk of the SSP and then the facility identify additional security measures that might apply to those specific periods of time.

Most of us would recognize that events like shut-downs and turn-arounds might require higher levels of security that could require additional security measures due to the large number of temporary personnel and contractors on-site. DHS specifically notes in this tip that there are unplanned events that a reasonable person should consider ‘foreseeable’ for specific areas of the country (large fires, tornados, floods and hurricanes for instance), and these foreseeable unplanned events should also be addressed in the SSP.

The Sixth Tip

The ‘Helpful Tips’ pamphlet actually includes a sixth tip in the conclusion section of the document. In my opinion it may be the most helpful tip in this generally helpful document. The conclusion section makes the very valuable point that DHS ISCD really does want every facility to succeed in getting its SSP approved. To aid facilities in accomplishing that task ISCD has put into place a number of assistance tools to guide facilities to successful SSP development and approval. These are listed in the conclusion, along with the appropriate links and contact information.

DHS has made a very real effort to work with facilities throughout this process. They recognize that this is a very complex and difficult process. It is of course made more difficult by the fact that many elements of the chemical industry are in a period of change due to both the current economic downturn and the more general change in the world-wide chemical economy. DHS has no interest in running facilities out of business because of the cost of security. Similarly DHS has a responsibility that minimum levels of security are established and maintained at high-risk chemical facilities. Meeting both of these sometimes conflicting requirements can only be accomplished by working with industry to adapt creative and effective security measures.

1 comment:

Anonymous said...

Pertaining to text boxes, I believe it to be helpful to know 4000 characters are allowed. You can check with your DHS contacts if you need verification on this.

/* Use this with templates/template-twocol.html */