Sunday, December 23, 2012

ACC Publishes CFATS Alternative Security Program


On Friday the American Chemistry Council posted their “Alternate Security Program (ASP) Guidance for CFATS Covered Facilities” on their web site. This .PDF document, along with its two embedded .DOCX documents provide information and a template for submitting an alternative (this is the DHS terminology) security program to DHS in lieu of the complete Site Security Plan DHS provides on its Chemical Security Assessment Tool (CSAT) site.

ASPs


Section 550(a) of the Homeland Security Appropriations Act of 2007 specifically authorizes the DHS Secretary to “approve alternative security programs established by private sector entities, Federal, State, or local authorities, or other applicable laws if the Secretary determines that the requirements of such programs meet the requirements of this section and the interim regulations”.

In a number of Congressional hearings I have heard Congressmen incorrectly explaining to industry and DHS witnesses that the ASP allows DHS to “give industry credit for work they have already done on site security”. This is very misleading in that there are no provisions in the law or regulation that allows the approval of an ASP for a security program that does not meet the standards set forth in the Risk Based Performance Standards (RBPS) Guidelines document based upon §27.230 of the CFATS interim regulations.

Nor does the preparation of an ASP obviate the need for using the Site Security Plan tool within CSAT. The SSP tool will, in fact, be the tool used to submit the ASP. After the facility ensures that the Facility information portion of the tool has been completed, the SSP tool {Site Security Plan Instruction Manual, pg 29} will ask four questions about the potential use of an ASP:

• Does the ASP address each security/vulnerability issue identified in the facility’s SVA, and identify and describe security measures to address each such security/vulnerability issue? [Q:5.61-18413]

• Does the ASP identify and describe how security measures selected by the facility will address the risk-based performance standards and potential mode of terrorist attack? [Q:5.61-18414]

• Does the ASP identify and describe how security measures selected and utilized by the facility will address each applicable performance standard for the appropriate risk-based tier for the facility?

• Does the ASP provide other information that the Assistant Secretary has deemed necessary, through the DHS Final Notification Letter or other means, regarding facility security? [Q:5.61-18416]

Only if a submitter can answer ‘Yes’ to all four questions should the ASP be submitted.

So, if all of the work necessary to prepare an SSP has to be done anyway, why use an ASP? The answer is three-fold.

First, the document that a facility will upload to the SSP tool for their ASP (in the case of this ASP in any case) will actually be able to serve as a formal site security plan. The document will actually be able to be read and understood by both facility personnel and DHS Chemical Facility Inspectors, and the information will be readily accessible. The same cannot be said for the printed copy of the question/answer format of the DHS SSP tool.

Second, we know that the current SSP tool has proven to be totally inadequate as an effective data collection device. The routine responses to the questions asked in the tool have not provided adequate information for DHS analysts to determine if the facility site security plan adequately addresses the RBPS guidelines. This ASP does seem to me to better address the data collection needs of DHS, making for a smoother SSP approval process.

Finally, at the end of the day, the approved SSP (SSP/ASP) will serve as the standard by which the facility security program is measured in all future inspections by DHS. A formal document like the one prepared in this ASP will be a much better reference for facility personnel and DHS inspectors to go back to determine what the actual approved security program is for that facility; something that cannot be easily done with the current SSP tool format.

The ACC ASP


The American Chemistry Council is a large industry group that represents a significant portion of American chemical production companies. They developed this ASP principally as a tool for their member organizations that have facilities covered by the CFATS program. As I currently understand things the ACC will allow anyone to use their ASP. There is no log-in required to be able to download the document and the ACC has no way of know who uses their format to submit data to DHS.

As would be expected, the ACC is not making any specific claims about the use of this ASP; they have no control of the information the facility places within the document. Their guidance document clearly states that:

ACC takes no responsibility for any action taken by an individual ACC member or other party.”

The format and style has been approved by DHS. That does not mean that DHS will automatically approve an SSP submitted using this format. It simply means that DHS has worked with ACC and that the format, properly executed, should be able to provide the necessary information in a format that DHS can use to evaluate the efficacy of the facilities SSP.

According to Scott Jensen, Director for Issues Communications at the ACC, there have been at least two facilities that have used this ASP to complete their SSP filing. In both instances, the folks at DHS used a protocol that was used very successfully in the development of the Top Screen and the Security Vulnerability Assessment tools; they had folks (analysts and inspectors) on site during the submission process to see how things actually worked on the ground. Their feedback along with comments from the facility teams, allowed the ACC to do the fine tuning necessary to make this a workable ASP format.

More Work Required


One thing is very clear to me, it is going to take much more work to complete the ACC ASP than it would be to answer the questions in the DHS SSP. Writing out the information in clear and understandable prose can be hard work, much harder than clicking on boxes or preparing short answers to specific questions. On the other hand nobody has gotten a site security plan authorized based upon the submission of the SSP tool. DHS has had to come back and dig for additional information to get what they needed.

Additionally, the facility was going to have to write a useable site security plan document in any case and that was going to be duplicative work. Why not use the same document to fulfill both requirements?

Future Posts


As my long time readers will have come to expect, I’ll be taking a more detailed look at the ACC ASP in future blog posts.

1 comment:

Anonymous said...

I have read your post, which I find to be very well done, as one might expect.

However, your observation that the ASP would take more work to complete is not actually the case. In fact, the opposite was reported by several owner/operators who were involved in the pilot testing and said that the ASP saves significant time over the SSP. This is true mainly due to the amount of duplication that is eliminated in the ASP versus the SSP.

The ACC ASP provides guidance and instruction on the type of information and the level of detail needed to complete a successful ASP. Much of this guidance and instruction was developed in cooperation with DHS. This should be no surprise, since DHS is the one who has to analyze them. The DHS field inspectors who participated in the pilots also reported that the ACC ASP offers a significant improvement over the SSP for use during auditing.
We believe the ASP will be very helpful toward simplifying and streamlining the process for both the regulated community and DHS.
While there is more work to be done, the willingness of DHS to work with industry is a step in the right direction. Moving this type of partnership forward will be critical to the overall success of CFATS and enhancing chemical security across the nation.

Regards, Bill Erny, American Chemistry Council

 
/* Use this with templates/template-twocol.html */