Tuesday, February 1, 2011


Last week the Security Industry Association held their Town Hall – CFATS Best Practices webinar that I had previously written about. I had a chance to watch this webinar and was favorably impressed (FULL DISCLOSURE: SIA waived their $35 non-member fee to allow me to participate). There were some minor technical issues (NOTE: to anyone presenting in such webinars via phone bridge; cell phones provide very broken audio; use a land-line please) but the information was very good. A copy of the slides is now available on-line.

DHS Presentation

I was slightly disappointed that DHS substituted Todd Klessman, the acting Branch Chief for the Policy and Programs Branch at ISCD for the advertised presentation by Sue Armstrong. Mr. Klessman did a fine job and I’m sure that the information presented did not change, but Ms Armstrong’s participation was advertised and, because of her position within NPPD, would have carried a stronger imprimatur; a minor disappointment that I quickly got over.

Mr. Klessman did provide an update on the status of the implementation of CFATS. Interestingly the number of CFATS covered facilities has dropped once again, to 4,755. Long time readers will remember that the initial number was more than 6,000. It would be interesting to have ISCD report on the reasons for the changes, how many were the results of deliberate changes in COI inventory to avoid regulation (and consequently reduce the potential threat to local communities) and how much was due to the current economic conditions. That information could have an impact on the (now muted) IST debate.

Mr. Klessman did touch briefly on the new Pre-Authorization Inspection (PAI) program. It’s not actually a new program as it was begun last January. I’m calling it new here because it was not part of the original CFATS implementation plan. It was a response to the less than adequate information being included in SSP submissions. DHS is not actually blaming facilities for the inadequate information, which is good since it appears to be more the result of a shortcoming in the SSP Tool in CSAT. I’ll talk more about that later.

The DHS provided data shows that ISCD Chemical Facility Security Inspectors (CFSI) have conducted only 150 PAI and a miniscule 4 Authorization Inspections. This slow progress in the implementation of the CFATS program is due to a number of issues (in my opinion, Mr. Klessman did not make any excuses in his presentation), including under-estimation of the complexity of the SSP submission and inspection processes; and the slow funding process for new hires (like the three continuing resolutions for FY 2011 and still no action on a final budget).

Mr. Klessman also vaguely (no details or firm mention of any expected dates – vaguely) mentioned a number of other CFATS related programs, including:

● Appendix A Review
● CSAT Tool Updates
● CFATS/MTSA Harmonization
● Ag Facility CFATS ‘Temporary’ Exemption
● Personnel Surety Program
Industry Presenters

The two corporate presenters (Gregory Eatmon, Baker Hughes; and Clyde Miller, BASF) both gave excellent presentations. Mr. Eatmon gave an excellent overview of the PAI process noting that the PAI’s that his facilities have seen were three-person teams that were on-site for three days. He also noted that once the PAI was over, DHS unlocked the SSP submission for a technical edit and gave the facility 45 days to re-submit the SSP.

Both presenters had good things to say about the professionalism of the CFSI, mentioning how helpful they were in explaining the SSP deficiencies that resulted in the PAI and helping the facility to understand how those could be corrected.

The most important point that both presenters made (and I have heard elsewhere) is that the reason for the lack of information included in the SSP submission was that Submitters were checking the provided ‘Yes’ boxes where appropriate and moving on. What DHS apparently really needs to have done so that they can get the information necessary to properly evaluate the SSP is for the facility to ignore the ‘Yes’ box, checking instead the ‘Other’ box and then explaining in detail what the security measure entails at their facility. You have to ignore the ‘Yes’ box because the text boxes only become accessible if you check the ‘Other’ box.

So, apparently the addition of the PAI process is not a result of facility problems but an inadequately designed SSP. That is not necessarily a slam against the SSP designers, first design passes at complex tools like CSAT are seldom the most effective. I am disappointed that DHS has not made this problem clearer earlier. They could have saved themselves a great deal of time and effort if they had gone back and modified the programming for those text boxes, making them available at all times. Then they would have been able to tell the CFATS community to go back and re-do their SSP by adding supporting details in the narrative box for all ‘Yes’ answers.

To be fair, the SSP is a very complex piece of software and DHS-ISCD does have limited resources. Even so, in my not-so-humble opinion that would have been the most efficient way of doing things. As it is the almost 4,000 SSP’s submitted will all have this problem. DHS needs to rely on more than just this type webinar to get the word out to all of the affected facilities to communicate this short-coming to the regulated community.

Future SIA Webinars

According to an email that I received from SIA, they are planning a couple more CFATS related seminars. At least one of these will address RBPS #8, Cyber Security. I have yet to hear anything about how the CFSI are dealing with ICS security issues, so I look forward to that.

No comments:

/* Use this with templates/template-twocol.html */