Tuesday, July 19, 2011

Fixing the Site Security Plan – Changing Questions

In a blog post this weekend on CFATS spending, I may have mentioned in passing that ISCD is having problems with their SSP approval process. In fact, I may have mentioned the same thing in a couple of other posts as well (okay, I apologize for the sarcasm, kind of anyway). It’s always easy to criticize, so I thought that I’d try to take the high-road and suggest how that problem might be addressed in a relatively easy manner.

Background Information

But first, I’d like to suggest that my readers go to ChemicalProcessing.com and download their latest CFATS publication (actually ADT’s latest publication on their site) “CFATS: Surviving the Site Security Plan”. It provides a brief description of the current SSP situation and their recommendation for how facilities can help to overcome the problems. In particular everyone should read the short “Painting a Picture” section on page 3. To save you some time, I’ll share the first paragraph here:

“Rather than simply answering 'Yes' for a question, answer 'Other' and take the opportunity to give an expanded written answer. The information in the 'Other' boxes should describe, in detail, the facility’s security posture, including physical security as well as specific procedures and policies. Take credit for measures already in place, even if those measures do not fit perfectly within the scope of the question, and use the 'Other' box to provide sufficient detail.”
Now this is not really new information, Last December DHS published a new CFATS pamphlet, “Helpful Tips for Completing a Chemical Facility Anti-Terrorism Standards (CFATS) Site Security Plan”. It included the following as the introduction to its first tip; “Appropriate Level of Detail”:

“An SSP must include sufficient detail to allow DHS to exercise its responsibility to determine whether the SSP satisfies the CFATS risk-based performance standards (RBPS). To date, many of the SSPs submitted have provided simple Yes or No answers (or similarly brief, non-descriptive responses) to many questions in the CSAT SSP application. Such answers typically do not provide enough information for DHS to make an informed judgment on whether the facility’s security measures satisfy the applicable RBPS.”
All of this makes perfect sense if one realizes that the people making the decisions about the approval or disapproval of the SSP will probably never see the facility. The information that they need to determine whether or not the facility security measures will adequately address the Risk-Based Performance Standards (RBPS) will have to come completely from the SSP submission.

One final point that must be kept in mind is that Congress has specifically prohibited DHS from requiring specific security measures as a basis for the approval of a site security plan. This means that a simple checklist will never provide enough data to allow for an adequate evaluation.

Revise SSP Questions

All of that is good to know but DHS turns right around and does its best to insure that during the SSP submission process, they ask for less information than they need. If you look at the latest version of the SSP Question Manual published last month you’ll see what I mean.

For example turn to RBPS 1 – Restrict Area Perimeter and look at page 65. You’ll see two questions about perimeter fences. The first question asks for a description of the fence and provides selection buttons (‘Yes’, ‘Partial’, and ‘No’) for a list of common fence types. The second question addresses the Fence Top Guard installed on that fence. For both questions one of the available selections is ‘Other’. There is also a text box to provide additional information.

Unfortunately, the instructions for that box continues to read: “If ‘Other’ is selected, enter a description:”. A more reasonable instruction, given the need for the facility to ‘paint a picture’ of the fence, would be: “Enter a description of the ‘Fence Barrier’:”.

I would suggest that even that would not really insure that ISCD receives all of the information that they need to evaluate that ‘Fence Barrier’. With ‘Partial’ coverage an expected response about a particular type fence, there should also be a prompt to explain that partial coverage. Additionally, there should be a prompt to provide a basic idea what information a description of the ‘Fence Barrier’ should include.

Here is how I would write the instruction for the Fence Barrier text box.

“Describe each type of fence barrier selected. Include information on materials of construction, footings, and physical size and configuration of fence. Explain the extent of any partial coverage.”
Additionally, since everyone knows that a picture is worth a thousand words, I would add a specific provision here for uploading pictures of the Fence Barrier. Digital photography is so ubiquitous that there is no reason why one would not want to include photographs in the SSP submission. Some photos would be better than others, but a really bad photo could just be ignored by the evaluators.

There is an alternative way of looking at the information requirements for questions like this. DHS could just add an additional layer of questions. For example, if a facility selected the ‘Yes’ button for ‘Chain Link’ the following additional questions could pop up that would require a short text entry answer:

• How tall is the fence?

• How far apart are the support poles?

• How are the support poles anchored to the ground?

• Is there a top bar along the top of the fabric?

• Is there a bottom bar along the bottom of the fabric?

• Are there privacy slats in the fence fabric?
The problem with this type of questioning is that there is always just one more question that could elicit just that one last piece of additional information. For example privacy slats can go in one direction or two and bi-directional slats make it more difficult to climb or cut the fence. They can be made of metal, plastic or wood. And on and on and on.

I think that for most of the questions in the SSP submission it will be more than adequate to change the wording of the current ‘Other’ text boxes to solicit descriptive information for the pertinent questions. Adding provisions for photo submissions would also be a good general move. There may, however be places where there will need to be additional questions added to ensure that ISCD personnel have adequate information to conduct their evaluations.

Writing Site Security Plans

I want to take this opportunity to point out to facility security managers something that I have said on many occasions. The current DHS SSP submission is misnamed. It is not a ‘Site Security Plan’. It is just a really extensive series of questions about how the facility manages its site security.

A real ‘Site Security Plan’ would be a document that describes in even greater detail the actual structure and organization of the security of the facility. It would include the types of descriptive detail I mentioned above, but it would also assign responsibility for various parts of the plan and describe how temporary problems with the plan would be dealt with.

For example the part of the plan dealing with the perimeter barrier would:

• Describe how the barrier fits into the security program;

• Describe the actual barrier;

• Describe who is responsible for inspecting the barrier;

• Describe who is responsible for repairing the barrier;

• Describe what compensating measures will be used while the barrier repair is being scheduled and completed; and

• Describe the procedures for making changes to the barrier.
If a facility had such a detailed Site Security Plan, they could use that document to provide the information required to complete the ‘new’ text boxes that I am proposing that DHS include in their SSP submission questions.

No comments:

/* Use this with templates/template-twocol.html */