2012 CSSS Presentations – SSP Lessons Learned

This is the second in a series of blog posts about presentations made at the recent 2012 Chemical Sector Security Summit. The first in the series dealt with the problems associated with the presentations in general. The subsequent posts will deal with the information provided in the slide presentations. The published presentations only provide the outline, I’ll try to fill in what information that I can from other sources or my best guesses.

2012 CSSS Presentations Available – Really

The first presentation that I’ll look at is the SSP Lessons Learned (or CFATS Update, depending on which web page you look at) made by John Ferrell. The presentation states that he works in ISCD and the most recent information I can find (from 2009 and that is certainly out-of-date with the multiple changes in ISCD) shows him being an Inspector and the Acting Section Chief for Strategic Operations.

CFATS Update

The presentation provides some statistical data on the CFATS program as of August 1, 2012 (the most recent data that I’ve seen). It provides four basic sets of data; regulated facilities (“approximately 4500”), tiering distribution (3% Tier 1, 12% Tier 2, 29% Tier 3, 55% Tier 4), security issues (94% Theft/diversion, 32% Release, 14% Sabotage), and facilities no longer covered (1,809 removed COI, 925 reduced COI).

I find it interesting that the only time actual numbers are provided is when they discuss the number of facilities removed from the program. This comes out to about 38% of the original number of facilities. It would be interesting to see if anyone has done anything to determine how many (if any) of these removals were due to the economic downturn.

The fact that the security issues comes out to a total of 140% should not come as a surprise to anyone. Many facilities are going to have multiple COI under different security issues and some chemicals are listed under multiple security issues. What is scary is that the bulk of covered facilities are theft/diversion COI. Insider pilfering, for example, of relatively small quantities of these materials could result in the construction of significant weapons (either IEDs or chemical weapons).

SSP Status

There is one slide on the status of the SSP program. A total of 63 facilities have had their SSP authorized or conditionally authorized (nobody has ever defined the term ‘conditionally authorized’ in a venue that I have seen) that is only eight more than Secretary Beers testified (pg 5) had been completed in February. The presentation notes that 14 authorization inspections have been completed (as of August 1, 2012), but does not say that any SSPs have been approved (the hoped for result of an authorization inspection).

Oh yes, the current goal of completing Tier 1 inspections has slipped again, from by the end of FY 2012 to “as soon as possible”. That is certainly comforting.

SSP Lessons Learned

There is a nice slide about what SSPs should include. Here is the complete list:

• More detailed descriptions of security measures

• Information on all 18 Risk-Based Performance Standards (RBPS) – if an RBPS is not applicable, state why the RBPS does not apply

• Safety and environmental measures that contribute to security, if appropriate

• Descriptions of planned measures the facility has committed to implement

• Descriptions of proposed measures on which the facility would like Department feedback

• Whether a security measure is applied facility-wide or to a specific asset

Now most of these are addressed (certainly incompletely) in the questions asked in the SSP submission tool. Either industry is not competent to answer these questions as asked (I seriously doubt that that is the case) or ISCD is not asking the right questions. So, I’ll ask again a real simple question, why hasn’t ISCD re-written the SSP questions so that industry can provide the required information? If it makes the questions more complicated, so be it.

Miscellaneous Information

The last two information slide provide typical fluff information about the program, including some web links. One of the slides does mention that facilities can directly contact the local Commander (regional head of Chemical Facility Inspectors) and notes that the contact information had been made available in the ‘Conference booklet’. This would be some nice information to have on the DHS web site.