This is the fourth in a series of blog posts about the
recently published American Chemistry Council Alternative Security Plan for the
CFATS program. The earlier posts are listed below. This post will look at the “ACC
ASP Template Final20121107” (Template) Word file that is imbedded in the “Alternate
Security Program (ASP) Guidance for CFATS Covered Chemical Facilities”
(Guidance document) that forms the core of the downloadable program.
Protective Markings
The template is essentially the same as the last twenty
pages of the on the instructions that I discussed in the earlier post. There
are, however, some important differences between the two. First the template
includes all appropriate Chemical-Terrorism Vulnerability Instruction (CVI)
markings that will have to be on the document when it is submitted to DHS,
including front and rear ‘cover’ pages and a footer “warning” statement. As
soon as any facility information is placed in the template it becomes a
document requiring CVI protection.
Any attached documents will require the same cover pages and
page markings. Cover pages can be found on the CVI web
page.
Formatting
The basic format of the document is an outline based upon
the outline found in the Table of Contents. The outline markings are based upon
bullet points instead of letters or numbers. If you want to change it to a more
classical outline that allows easy reference to the paragraphs within the
sections that can easily be done in Word®. Personally I would use a numbered
outline system for reasons that will be clearer shortly.
Unlike the template found in the Instruction document, the
page numbering on the Table of Contents page is not actually linked to the
section headers. One of the last things that you are going to want to do before
submitting the completed ASP document in the DHS CSAT SSP Tool will be to put
the appropriate page numbers in the Table of Contents. This will actually make
it easier to copy sections from the template into separate documents to farm
out the completion of the information to different people or teams. Again,
remember that the CVI marking and protection rules will have to followed for
those abstracted sections as soon as any facility information is entered.
Duplicate Information
There will be places in the document where the same
information will be entered in different places. While DHS won’t be concerned
about seeing duplicate (the key here is that it really is duplicate)
information in multiple places, there is a good reason for not writing the same
information in more than one place. If you have to go back and make a change to
it for some reason you may miss one or more iterations.
It will be more effective to write it one time and then
refer back to it in later places in the ASP documentation using conventional
notations like “{See Section 5.2(a)(1)}”. This is the reason that I suggest using
number (or lettered) paragraphs within each section instead of bullet points.
Detailed Information
This bears repeating, one of the main problems that DHS has
encountered with their SSP authorization process has been that an inadequate amount
of information describing parts of the security process for the facility has
been included in the SSP submission. While the ASP process makes submitting the
information easier (and subsequently more useable) there still needs to be a
sufficiency of information provided.
Remember, analysts will be sitting in an office building
somewhere reading the information provided by the facility trying to determine
if the security measures provide an adequate measure of protection for the
facility at its present tier level. Telling them in section 5.1 that there is a
chain-link fence around the facility perimeter is not adequate information,
they need to be told something like this:
“The facility is protected by 1,257
feet of commercial grade chain link fence. All segments of the fence are 8 foot
tall with an outward-facing 18” top-guard with four strands of razor-wire.
Corner posts have two top guard supports at a 90 degree angle from each other.
Fence posts are set in three foot of concrete and placed at no more than 15
foot intervals. A single course of cinderblocks set in an 18 inch deep concrete
footing runs under the fence fabric between each post with anchors placed no
further than three feet apart to attach the fence fabric to the cinder block.”
Okay, my fence is a bit of overkill, but it is completely described.
Not Too Much Information
Remember that every detail that you put into the ASP
submitted to ISCD is an inspectable part of your site security plan. To change
any of those details you have to re-submit the revised ASP and hope that it
passes muster with DHS. If you make changes without that pre-approval, it could
cost you up to $25,000 per day, or, in the worst case, cause DHS to issue a
facility closure order.
The area that will probably cause the most problem for this
is not the physical plant. The more likely area will be in processes and
procedures. Where possible the process or procedure documents will be
maintained in documents separate from the ASP and the title of the appropriate
document will be mentioned in the ASP where necessary.
For example if you use padlocks on unloading valves as part
of your process to protect access to a COI you are going to have to have some
method to maintain control of the keys to those locks to prevent that unauthorized
access. Rather than outlining your entire key control process you could explain
that: “The keys for those valve locks are maintained in the locked key box in
the Shift Supervisor’s Office and are only issued in accordance with the
provisions of the Facility COI Key Control Procedure.” Once part of the
authorized SSP, that wording would allow a Chemical Facility Security Inspector
(CFSI) to verify that the process in that procedure was being followed, but not
to evaluate the details of that process.
It would probably be a good idea to maintain a list of all
of the referenced processes and procedures in Section 1 of the ASP.
Key Words and Phrases
One of the things that does not receive enough emphasis in
the supporting documentation for the ASP is the importance of using certain key
words and phrases when describing facility security measures. These key words
and phrases can be found in the RBPS Metrics for each Risk-Based Performance
Standard in the RBPS
Guidance document.
For example section 5.1 of the ASP calls for a description
of ‘Vehicle Barriers’ and the Security Metric 1.2 for Restrict Area Perimeter
(pg 29) Tiers 1 and 2 calls for “Entrances equipped with traffic control
systems to slow incoming traffic…”. Given that combination I would suggest that
the description start with:
“The single vehicle gate is
equipped with traffic control devices to slow incoming traffic. The traffic
control devices consist of ….”
Memorandum of Understanding
There are a number of references to “MOU in place” in the “Emergency
Responders, Off-sit” paragraphs of Section 2 of the ASP. An MOU is a memorandum
of understanding between facility management and an organization outside of the
facility (local police, fire departments, or emergency medical services for
instance) that is providing some sort of support to the facility Site Security
Plan.
As long as the facility is relying on an outside agency as
part of its SSP, it needs to be able to show that the agency is prepared to
provide the necessary services. The MOU needs to specify what type of support
will be provided, under what circumstances, and what type of response time
could be expected. Probably the most important aspect of the MOU is that it
needs to be signed by an appropriate official of the supporting agency.
One More Posting
The next and final posting in this blog series will address
how the completed ASP is submitted to DHS.
Posts
No comments:
Post a Comment