Sunday, July 17, 2011

CFATS Spending

One of the things that I enjoy about this blog is some of the questions that people send to me. Last week I received an email from a reader who wanted to know what I knew about CFATS spending patterns. It turns out that it was really an investment question about delays in spending on CFATS security measures and how that related to income patterns for security companies.

Now I certainly don’t have any investment grade information on how much facilities are spending on CFATS related security measures, either in individual cases or even just gross industry estimates. Given the diversity of the types of facilities covered and the way that the Risk-Based Performance Standards are set up, I don’t think that anyone has a real good handle on this information. On the other hand, the question does provide an rather interesting way to look at the CFATS program and the progress of its implementation.

Pre-CFATS Security

Most high-risk chemical facilities prior to the April 2007 publication of the CFATS regulations had basic security measures in place. This would typically include perimeter fencing, maybe gate guards and the like. But most companies were more focused on safety issues rather than real security. Certainly after 9-11 the larger facilities put more emphasis and spending on security measures, but it was the rare facility that made serious efforts maintaining a high-profile security program.

There were exceptions of course. Refineries and large chemical complexes, particularly those owned by companies with overseas exposures always took security more seriously than their smaller counterparts. They stepped up that security even more after 9-11. And there were some facilities that had security concerns unrelated to terrorism that had significant security measures in place all along. But, in general, physical security measures were relatively low on the list of corporate spending programs.

Pre-SSP Spending

After the publication of the CFATS regulations in the spring of 2007, but before the implementation of the Top Screen program in late December of that year, I think that we can assume (I haven’t seen any data so I’m making assumptions here) that there was some increase in the spending on security consultants and the like, but most facilities were taking more of a wait and see approach to the CFATS program; holding their breath and hoping that they weren’t going to become covered facilities.

After the Top Screen submissions and facilities began receiving notifications from DHS that they were ‘preliminarily’ declared to be high-risk facilities, security spending certainly increased, but again, this was mainly for consultants to help facilities do their security vulnerability assessments. For many facilities though, those SVAs were eye openers about security matters, particularly when they were being guided by outside consultants that really understood security matters. Spending on basic security measures probably started increasing significantly at this point.

Major security spending, however, was put on hold in most cases until DHS published their Risk-Based Performance Standards Guidance document in May of 2009. At this point facilities had a better (but certainly not good) understanding of the types of security measures that DHS was going to be looking for in the site security plans (SSP). There was a major drawback to this document however. Because of Congressional limitations on DHS CFATS authority, DHS could not clearly specify which security measures would be required.

On one hand this was a good thing. It was intended to provide facilities the largest possible latitude in designing effective security measures tailored for their specific situation. It clearly recognized that the diversity of the chemical industry prevented the establishment of cookie cutter security programs.

Unfortunately, it also introduced a lot of uncertainty into the security planning process. Without clear delineation of what was required and what was not management was going to be reluctant to authorize spending on high-dollar value security projects.

DHS made provisions for this uncertainty in their SSP submission program. Facilities did not necessarily have to have all security measures physically in place when they submitted their SSP for review. They could include in their SSP submission projects that only existed on paper. There were two levels of these paper projects. The first was “Planned Projects”; ones that were firm plans and had budget commitments clearly documented. The second was “Proposed Projects” that the facility was considering but not yet committed to. Both of these type projects required the expenditure of planning money up front, but avoided the actual expenditure of capital funds until their actual status became clearer after the DHS review of the SSP.

SSP Delays

Unfortunately, the SSP review and approval process has not proceeded in the way that either industry or DHS had desired. For a variety of reasons that have not been clearly delineated DHS has not had adequate information to approve site security plans based upon the information submitted via the on-line Chemical Security Assessment Tool (CSAT). Originally the plan was for DHS to review the SSP submissions using a combination of computer analysis and expert reviews to determine if the plan was adequate. After giving a preliminary approval based upon that plan, DHS would then send out their limited staff of trained Chemical Facility Security Inspectors (CFSI) to inspect the implementation of that plan. Only after the actual implementation was okayed would final approval be given to the SSP.

Unfortunately, the inadequate information provided in the SSP submissions required DHS to institute another intermediate inspection process where the CFSI went to the facility to work with the security management team to develop the information required for the evaluation of the written plan. According to unofficial information I have heard from the recent Chemical Sector Security Summit, DHS has reportedly only done 175 of these pre-approval inspections to date. The last official word from DHS that I have heard was that only four SSP submissions have been approved and were pending final inspection.

The big problem here, from a facility perspective, is that security capital spending plans are in limbo. Problems in the automotive and home construction sectors have hit the chemical industry particularly hard and there is a reluctance approaching inability to spend unnecessary capital funds. Capital spending on nebulous security requirements is particularly hard to justify. Where possible these projects have been put on hold, where necessary they have been canceled.

At some point this has got to have an adverse impact on the security industry. The CFATS program has had to result in an expansion of many portions of that industry, particularly in the consultant and planning portions. The delays and cancelation of high-dollar security projects has had to have an impact on the income of consultants and suppliers alike. At some point, many of these people are going to have to get out of the business that they got into because of the CFATS program.

This will inevitably cause implementation delays. Projects that were planned by people that are no longer in the business will have to be re-thought, planned and justified by consultants and planners that have remained in the business. New suppliers will have to be found to replace those that have gone out of business. In some cases no replacements will be available for innovative products and services from companies that are no longer around.

Continued Delays

There does not seem to be any significant relief in sight for the delays in the pre-approval and approval process for the Site Security Plan program. DHS has been in the reactive mode trying hard to get the 200 some odd Tier 1 facilities through the SSP process in an inevitably manpower intensive manner. The recent turnover in managers and supervisors in the home office have complicated the problem resolution process. Meanwhile, over 3,000 Tier 2, 3 and 4 facilities have their security planning process placed entirely on hold, wondering when their SSP submissions are even going to be looked at.

I would like to assume that DHS is doing every thing that they can to resolve this issue, but I can’t see any clear indications from the outside one way or the other. I know that there is significant dissatisfaction in the inspection force and many of the mid-level people at headquarters, but it is not clear whether this is more of an issue of personalities or serious dysfunction or just the stress of being in an untenable organizational situation.

I do know from personal experience that when you’re fighting alligators that it is hard to remember that your original job was to drain the swamp. It is easy to criticize people who are in the middle of a reactive battle to keep their heads above water as they are prone to make mistakes. It is the nature of the beast; the situation is not conducive to careful consideration and long-range planning.

Congressional Inaction

Congress has done nothing to help this process. Recent hearings have glossed completely over the delays, focusing on the ‘success’ of the program to get facilities to this place in limbo. There have been no investigative hearing into what needs to be done to solve this problem; no examination of what additional resources or guidance might be necessary. Even the opponents of the current program want to extend the responsibility and coverage of the program without thinking about addressing the causes of the delays in the present program.

The most supportive thing done by Congress to date is the offering of an amendment to one of the three reauthorization bills moving through the legislative process that would require DHS to respond to an SSP submission within 180 days. This would only mean that DHS would have to formally disapprove the plans that they are currently working with facilities to improve. At best this would result in further delays in the approval process as cursory attention must be paid to lower tiered submissions to meet the arbitrary time limit. At best this is going to involve DHS in extensive litigation as facilities demand to be told what the deficiencies are in their plan that resulted in the disapproval and DHS is only able to give them vaguely worded answers because of Congressional prohibitions against requiring specific security measures. DHS does not need a congressionally mandated adversarial atmosphere to be established in this program.

What is needed is a thoughtful outside appraisal of the problem and help with establishing realistic solutions. The DHS IG, the GAO and more importantly the Congressional oversight committees should conduct a detailed look at this problem. Properly done this could provide DHS with some much needed help.

Of course, we could just continue down this current path. Sooner or later an attacker (probably home-grown and non-Islamic) will successfully exploit the current security confusion and execute a relatively unsophisticated attack against one of these facilities. It will most likely be a chemical diversion attack on a Tier 3 or 4 facility to gain access to chemicals necessary for a larger attack somewhere else. When that happens, we’ll see some action on security measures, you betcha. Too late to be of any good, but they will be impressive.

No comments:

/* Use this with templates/template-twocol.html */