Tuesday, April 19, 2011

HSAS Elimination and CFATS

Sometime this month the Department of Homeland Security is expected to formally eliminate the Homeland Security Advisory System, the color coded system that was supposed to keep the public updated on the current state of the threat of terrorist attack. I received a reader email yesterday asking the following interesting questions:

“Can you advise very briefly as to how are CFATS Site Security Plan holders revising their SSP security posture change process with the elimination of the DHS HSAS? How or to what are they tying the security level changes too with the termination of that system?”
HSAS and SSP

RBPS 13 in the CFATS process requires facilities to plan for ‘security measures and considerations for elevated threats. The RBPS Guidance document explains:

“The “Elevated Threats” RBPS addresses the need to escalate the level of protective measures for periods of elevated threat designated by DHS. The purpose of the RBPS is to enhance facility and operational security, while reducing the likelihood of a successful attack, through the implementation of scalable security measures and actions in response to changes in the Homeland Security Advisory System (HSAS) threat levels [emphasis added]. The simplest way for a facility to meet the standards sought by RBPS 13 is to have a set of documented and implementable security procedures that provide for a change in the facility’s security posture based on an elevated HSAS threat level. Properly responding to and implementing appropriate security measures in response to different threat levels significantly improves a facility’s capability to “Deter, Detect, and Delay” a threat (see RBPS 4), greatly reducing the likelihood of a successful attack during a period of elevated threat.” (page 101)
The Guidance document goes on to explain that DHS uses a variety of methods of identifying elevated threats including the HSAS, DHS Threat Advisories and DHS Information Bulletins. Having the alternatives, the main part of the discussion in RBPS, as well as the RBPS Metrics clearly tie the expected response to the RBPS to the HSAS. This entire section of the Guidance document will essentially be useless when DHS eliminates the HSAS later this month.

What ever the deficiencies in the HSAS system (and there are many) it did provide something to which a facility could tie their changes in security response. The SSP could be designed for the base condition and enhanced procedures could be defined for each increase in the reported threat level.

No Anchor for Enhanced Security

While the details of the new threat communication system have yet to be published, Secretary Napolitano has made clear that it will be more detail oriented, targeting specific industries or communities that are under an identified increased threat of terrorist attack. The intention is to make the information clear enough and specific enough so that only those people clearly at risk need to respond and may respond in a cost effective manner.

This certainly seems to make sense. There should be no need for most people to worry about most clearly identified threats. And entities under a specifically identified threat probably do not need to take a generic action, but need to formulate a specific, targeted response.

The problem is that security planning and execution take time. The current HSAS allows facilities to identify in advance generic increases in security that would be necessary and make the necessary advanced coordination that would allow for the prompt execution of those measures. When a specific threat is identified further security measures can be developed based upon previously identified measures.

Without the generic threat advisory to which facilities can tie their generic responses, the facility will have to start their security planning from the base case each time a target threat advisory is provided by DHS. Or will they? While the details will depend on the specifics the new DHS alert system, there is a way to address the enhanced threat issue.

Enhanced Security Planning

First we have to assume that the DHS alerts will, in some form, come in both generic and specific forms. The generic forms will still be more targeted than the current HSAS but will apply an area or industry rather a specific facility and will not include much in the way of specifics about expected attack modes. Specific alerts might still address a number of facilities, based upon either area or industry, but would provide more details on the expected form of attack. The most targeted warnings would provide an unusual level of warning about a specific facility.

Now the question becomes, how does a facility provide for these types of alerts in its site security plan? I think the simplest way to do this is to go back to the SVA and look at which terrorist attack scenarios were determined to apply to the facility. Then for each of those scenarios there would be three levels of increased threat that would need to be addressed:

● DHS notification of increased threat to region;

● DHS notification of increased threat to industry; and

● DHS notification of increased threat specifically to facility.
This would give the facility the type of specificity in its threat response that DHS is attempting to achieve with its revised alert system. This should also allow most facilities to reduce their security costs as they should be spending less time in an enhanced security mode.

ISCD Re-write of RBPS Guidance Needed

At least, if I were in charge (and I am certainly not), that is the way that I would organize things. This is an area that ISCD needs to address quickly. Unfortunately, I would suspect that their current focus is more on the completion of SSP pre-authorization and authorization inspections. I would bet that no-one has even considered re-writing the RBPS 13 section of the Guidance document in preparation for the elimination of the HSAS.

That is not a criticism of ISCD, they do have higher priority problems that need to be addressed. Unfortunately, that doesn’t provide much help to people like my reader who need to complete their SSP development or update their SSP submission for the change in circumstances. Fortunately, there are not that many (are there any yet) facilities that have an actual, approved SSP to update (that was a sarcastic criticism).

No comments:

 
/* Use this with templates/template-twocol.html */