Earlier this month the Congressional Research Service (CRS)
published their latest version of their report on the Chemical Facility
Anti-Terrorism Standards (CFATS) program. This periodic report by Dana Shea summarizes
the current state of the CFATS program, explains current problems facing the
program. Past reports included an analysis of various potential solutions for
CFATS problems that may require Congressional action, that is missing from this
version.
SSP Process
Given the on-going congressional concern about the progress
being made on the Site Security Plan (SSP) front Shea takes a detailed look at
that portion of the program. This discussion begins very good, concise summary
of the SSP regulatory process:
“Over time, the DHS has attempted
to develop a consistent nomenclature for its review and inspection process. The
DHS authorizes an SSP (issuing the facility a letter of authorization)
when the submitted SSP is satisfactory under CFATS. The DHS conducts an authorization
inspection of a facility with an authorized SSP to compare the
authorized SSP to the conditions of the facility. Following a successful
authorization inspection, the DHS approves the SSP (issuing the facility
a letter of approval). At a later date, expected to be one year after
approval of the SSP, the DHS will conduct a compliance inspection of a
facility to determine whether the facility has fully implemented its approved
SSP. Compliance inspections then occur on a periodic basis depending on the
risk tier to which the facility is assigned.” [Footnotes removed]
What is missed in this discussion is why such a complicated
SSP process is necessary. Since Congress declared in the CFATS authorization
that DHS may not specify what security measures are required for SSP approval,
DHS was forced to publish a rather vague Risk-Based
Performance Standards (RBPS) guidance document and facilities were left to
guess what security measures to put into their proposed SSP. Since security is
not a profit center, the apparent actual risk of a terrorist attack is low (no
attacks to present and no reports of credible threats against chemical
facilities), and security measures usually complicate day-to-day operations,
facilities want to establish just the minimum security measures required to
assure compliance with CFATS. As a result, there is a natural tendency to
under-guess what is required for compliance.
Further complicating the process is the fact that the
current SSP data submission tool in the on-line Chemical Security Assessment
Tool (CSAT) uses a question/response format that solicits a limited amount of specific
information about the proposed SSP and relies on the addition of narrative
submissions for the bulk of the details about the program. Facility security
managers have every incentive to limit the amount of information that they
provide since any changes to that information after the SSP is approved will
have to be vetted through DHS before it can be changed. Limiting the scope of
that DHS operational veto is in the best interest of the facility management.
The disjointed and frequently duplicative organization of
the information in the SSP tool further aggravates the approval process by
making it difficult for inspectors to preview the submitted data before they
conduct their authorization inspections. Since large chemical facilities are
already complicated physically and operationally, inspectors have to become
familiar with the unique operational aspects of the facility and become
familiar with the proposed SSP at the same time during the scope of a three day
inspection.
Digesting that inspection information and preparing a coherent
report on how well the facility complies with the RBPS is a time consuming
process. This is complicated by the fact that every chemical facility is unique
in its surroundings, operations, hazards and susceptibility to terrorist attack.
Further, the Chemical Security Inspector (CSI) needs to have an operational
understanding of chemical safety, physical security, operations security, and
cybersecurity to adequately understand all of the implications of the proposed
SSP.
Finally, the CSI workforce is limited to about 160 personnel
which include regional commanders who would be expected to spend only limited
amounts of time in actual inspection activities. Authorization inspections are typically
conducted by 3 to 5 inspectors depending on the size and location of the
facility.
Inspection Rate
Shea spends a great deal of time analyzing the rates of
authorization, inspection and approval and their inter-relationships. I would
assume that this was done at the request of various Committee Chair who are
legitimately concerned with the progression of that process. Looking strictly
at statistical data Shea has provided detailed information about the number of
actions that are necessary to complete the SSP process in a variety of time
frames. Table 1 below summarizes the Shea data for the average monthly rates
for achieving completion of the SSP authorizations and approvals for the facilities
currently the program.
Current
|
1 year
|
2 year
|
5 year
|
10 year
|
|
Authorizations
|
61
|
284
|
142
|
57
|
28
|
Approvals
|
28
|
327
|
164
|
65
|
33
|
Table 1: SSP Authorization and Approval Rates
As I have discussed in various posts (see the latest here)
about the monthly reports the Infrastructure Security Compliance Division
(ISCD) has been publishing on the SSP approval process, there are a lot of
things beyond the control of DHS that have caused significant month-to-month
variations in the approval rates. It is also not clear how the changes in types
of facilities being inspected (alluded to in the CRS report). One would think that
the process would be easier at smaller less complicated facilities, but as I recently
noted the lack of administrative resources at those facilities is also
going to impact the approval process.
It seems likely that DHS will be able to complete the
authorization process in somewhere between two and five years, particularly
since that portion of the process includes only limited CSI involvement. The
projection for the approval process is less sanguine. Shea notes that ISCD has
recently begun the process of compliance inspections which will cut into the
number of authorization inspections that the limited CSI force can conduct.
Also noted as a force time-consumer is the current regulatory requirement to
begin the reauthorization/re-approval process for Site Security Plans. That
should begin in very limited numbers this fall.
New Facilities
Further compounding this issue is a discrepancy between the
number of covered facilities and the number of facilities with a final tier
assignment. Facilities become regulated when they submit a Top Screen that DHS
decides provides presumption of being at high-risk. In the initial Top Screen
submissions in January of 2008 40,000+ facilities submitted Top Screens, but
only about 7,000 were notified by DHS that they were preliminarily determined
to be at high-risk and would have to enter the initial evaluation process of
the regulated chemical companies, the Security Vulnerability Assessment (SVA).
What is not clear in Shea’s discussion is the fact that not
all of those facilities submitting SVA will be confirmed as high risk and be
given a tier ranking assignment. It is only at that point that the facility joins
the cue of facilities in the SSP authorization/approval process. Of the
original 7,000 covered facilities only about 4,000 were required to submit
sight security plans, the remainder were dropped from the CFATS program because
the additional data submitted demonstrated that they were not at high-risk of
terrorist attack.
Shea appears to assume that all of the currently regulated
facilities will be required to submit SSPs that will require future action.
That is not supported by past history. Only about half of the currently
regulated facilities that do not have tier assignments would be expected to
have to submit SSPs.
Alternatives
What is disappointingly lacking in this version of the CRS
report is a look at potential alternatives. With a new CFATS authorization bill
currently in the works it would have been nice to see a look at possible
congressional actions that could address this process.
The simplest action (and the least likely) is for Congress
to increase the funding and authorized head count for CSI. Clearly the limited number
of CSI has got to be a factor slow rate of approvals. Whether or not it is the
only factor has yet to be seen. Shea acknowledges this, noting (pg 16):
“Increasing authorization inspection
capacity might serve to highlight other potential issues within the CFATS
process, such as delays in processing information from authorization
inspections and issuing letters of approval.”
Congress is unlikely to significantly change the number of
CSI. The CFATS program already has more full-time federal inspectors than does
the EPA’s RMP program or OSHA’s PSM program which address similar (yet a far
larger number) facilities. Federal employee costs are high and there appears to
be a general reluctance to pay that cost for enforcement personnel.
Last summer I
proposed another alternative to speed up the SSP authorization and approval
process; adjust the standards by which those actions are reviewed for Tier 3
and Tier 4 facilities. Since these facilities are lower risk, it would seem
reasonable that while the RBPS are lower the standards for review of the
submissions should also be less stringent. While this would not technically
need congressional approval it would certainly need congressional acquiescence.
Personnel Surety
There was one SSP issue that was completely ignored in the
Shea report, technically there have been no site security plan approvals; they
all have been conditional because facilities have not been able to fulfill all
of the standards for RBPS # 12 Personnel Surety. The reason for this is that
DHS has yet to establish a means for facilities to vet personnel given
unaccompanied access to critical areas of the facility against a list of known
or suspected terrorists. ISCD has been at work on this program with little
success for over four years now.
I understand that this will be addressed by CFATS
authorization legislation that will be introduced in the next couple of weeks.
It remains to be seen whether or not that bill would, if passed (more than iffy
in an election year), ease or compound the difficulties that DHS is having
getting a plan that is acceptable to industry and accomplishes the requirements
for personnel surety established in the current authorization.
Posts
No comments:
Post a Comment