CFATS Knowledge Center Update 10-26-12

Yesterday the folks at the CFATS Help Desk updated the CFATS Knowledge Center by eliminating one frequently asked question (FAQ # 1649) and essentially replacing it with a new Article, # 1729. While both deal with the process for a facility to request an extension of a CFATS submission deadline, the new procedure is substantially different from the previous process and there is a much more detailed explanation of the procedure in the new Article.

Written Requests

The old FAQ was essentially a provision of the mailing address (one for USPS and one for delivery services) for the Director of ISCD. The only other information provided was a brief statement about what had to be included in the request (“please include the facility ID and an explanation for the facility’s extension request”) and a reminder to properly mark and mail any Chemical-Terrorism Vulnerability Information (CVI); short, sweet and to the point.

The procedure for sending a written request for an extension remains much the same. They did eliminate the double printing of the address, providing just the one address for both modes of snail mail delivery. If you are using USPS you can still eliminate the two lines between “Mail Stop #0610” and “Washington, DC 20528” as mail to government offices gets checked and deloused as necessary at the ‘Mail Stop’ before it gets to the District.

Electronic Requests

There were no provisions mentioned in the old FAQ for the electronic submission of extension requests. The closest it came was a specific prohibition against faxing such requests to the Help Desk.

The new CFATS Knowledge Center Article explains how a new application within the on-line Chemical Security Assessment Tool (CSAT) allows a Submitter to submit an extension request on-line. Once signed into CSAT and on the CSAT Survey List screen there is now a button for “Request Extension” for the pending survey (SVA or SSP). The Article goes on to explain the steps that need to be followed to complete the request, but they do seem to be fairly straightforward and in keeping with the feel of the rest of the CSAT tools.

Once the request has been submitted the “Request Extension” button on the CSAT Survey List screen will be replaced by an “Extension Request Pending” message. If you submit your request by snail mail, this same change will let you know that ISCD has started the process of reviewing your request.

Notifications

There is one other small change that has been made in this process that you have to be fairly alert to catch. At the end of the first paragraph in the Article there is the following sentence:

“Upon receipt of the extension request, whether in paper or electronic form, the Department will review all relevant information and notify the facility of the Department’s decision through CSAT [emphasis added].”

Recently ISCD stopped sending their CSAT related letters to the facility via FedEx (Did the Post Office know about a government agency using FedEx instead of USPS?) . They now only provide an email notification to the Submitter that a copy of the letter is available on CSAT. I’m not sure if this was done as a cost saving measure (and it surely is) or a security measure as FedEx doesn’t ensure ‘eyes only’ delivery directly to the addressee. Since CSAT is a ‘secure on-line tool’ this does increase security.

Phishing Problem

Or does it? The folks at ISCD have inadvertently compromised the security of the CSAT tool by setting up people registered on CSAT for phishing attacks. Let me explain….

ISCD requires that passwords for the CSAT tool be changed every 90 days; a bit excessive perhaps, but it does increase security particularly because there can be long periods between sign-ons. To help people remember to update their passwords, ISCD sends out a “Password Expiration Notice” email at 60-days; intended as a helpful reminder. Unfortunately, they include a link to the CSAT site in that email making it easier for an individual to complete the update process.

Anyone with any cybersecurity sense knows that clicking on a link in a ‘password update’ email is a sure way to be taken to a fake web site that will accept your sign-on name and your current and new password; giving someone else full access to your site information. Unfortunately, the number of people with cybersecurity sense appears to be limited as this is one of the most successful phishing ploys around.

Now this isn’t a new problem at ISCD. I wrote about this back in 2008. It has recently come to my attention that this problem is continuing to this day. If they must send out reminder emails, ISCD needs to conduct a significant educational campaign reminding people about the problem of clicking on links in emails that to go to “sign-on pages”. They MUST also stop including such links in their emails; all emails going to registered users of CSAT.