Thursday, December 18, 2014

HR 4007 – Expedited Approval Facility

This is part of a continuing discussion of the recently passed HR 4007, Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014. In this post I will be looking at new expedited approval facility provisions of HR 4007. The previous postings in this series were:


One of the suggested methods for reducing the backlog of site security plan approvals has been that there ought to be a simpler method for smaller, lower threat facilities to get their site security plan (SSP) approved. One suggested method has been to use a system similar to what the EPA uses for water treatment facility security; the facility would certify that it meets the security requirements specified in the Risk Based Performance Standards guidance document. Congress took this basic idea and made it a little bit more complicated when they created the expedited approval facility (EAF) program in §2102(c)(4).

DHS Requirements

To start this program off, the bill requires the Secretary to accomplish two tasks within 180 days of the bill being signed into law. They are:

● Issue guidance for expedited approval facilities that identifies specific security measures that are sufficient to meet the risk-based performance standards {§2102(c)(4)(B)(i)}; and

● Develop prescriptive site security plan templates with specific security measures to meet the risk-based performance standards under subsection (a)(2)(C) for adoption and certification by a covered chemical facility assigned to tier 3 or 4 in lieu of developing and certifying its own plan.

Actually the second item is permissive not required and there is no actual time limit associated with the Department’s publication of templates. I’ve included it here for two reasons; it is specifically mentioned in the EAF program {§2102(c)(4)(A)(ii)}and Congress gave the same exemption from the regulatory approval process that it gave the Secretary for development of the EAF guidance (see the previous post in this series for more details on this exemption).

After a facility makes its site security plan submission (as described below) DHS has 100 days {§2102(c)(4)(G)(i)(II)}to make a determination that the submitted plan if ‘facially deficient’, otherwise the plan is considered approved. The term ‘facially deficient’ means that the {§2101(7)}:

(S)ite security plan that does not support a certification that the security measures in the plan address the security vulnerability assessment and the risk-based performance standards for security for the facility, based on a review of—

(A) the facility’s site security plan;
(B) the facility’s Top-Screen;
(C) the facility’s security vulnerability assessment; or
(D) any other information that—
(i) the facility submits to the Department; or
(ii) the Department obtains from a public source or other source

I’m not sure how the good folks at ISCD are going to get this review system set up, but they have been specifically authorized by this bill to employ contractors for conducting this sort of review (not making the final go/no go decision – that’s a purely governmental responsibility). Whether they can get it set up in time is a question for a future date. From the facility point of view, if they can’t get the review done in 100 days, it doesn’t matter; the plan is automatically approved.

Owner Requirements

Things get a little more complicated from the owner’s point of view. Let’s talk timelines first. The starting point for timelines for existing CFATS facilities that have had their security vulnerability assessments accepted by ISCD and have been assigned to Tiers 3 or 4 is 210 days after the bill becomes law (which is 30 days after ISCD is supposed to have their guidance document published). Facilities notified of their tier ranking after the bill is signed start on the date of their tier notification.

Facilities have 120 days to submit their site security plan and certification that the plan conforms to the guidance provided by ISCD. At least 30 days before the certification is sent, the facility must notify ISCD that they intend to certify as an expedited approval facility {§2102(c)(4)(D)(iii)}. Actually the certification is just a tad bit more complicated than that; the owner/operator certifies that {§2102(c)(4)(C)}:

(i) the owner or operator is familiar with the requirements of this title and part 27 of title 6, Code of Federal Regulations, or any successor thereto, and the site security plan being submitted;

(ii) the site security plan includes the security measures required by subsection (b);

(iii)
(I) the security measures in the site security plan do not materially deviate from the guidance for expedited approval facilities except where indicated in the site security plan;
(II) any deviations from the guidance for expedited approval facilities in the site security plan meet the risk-based performance standards for the tier to which the facility is assigned; and
(III) the owner or operator has provided an explanation of how the site security plan meets the risk based performance standards for any material deviation;

(iv) the owner or operator has visited, examined, documented, and verified that the expedited approval facility meets the criteria set forth in the site security plan;

(v) the expedited approval facility has implemented all of the required performance measures outlined in the site security plan or set out planned measures that will be implemented within a reasonable time period stated in the site security plan;

(vi) each individual responsible for implementing the site security plan has been made aware of the requirements relevant to the individual’s responsibility contained in the site security plan and has demonstrated competency to carry out those requirements;

(vii) the owner or operator has committed, or, in the case of planned measures will commit, the necessary resources to fully implement the site security plan; and

(viii) the planned measures include an adequate procedure for addressing events beyond the control of the owner or operator in implementing any planned measures.

I expect that we will see the certification as a form in CSAT with check marks in the appropriate places. Oops, maybe not as the bill clearly states that the certification must be “signed under penalty of perjury”. So I guess this will probably be another sign and send to ISCD form.

Compliance


This post is starting to get more than a little long, so I’ll look at the compliance issues in another post.

No comments:

 
/* Use this with templates/template-twocol.html */