Today the DHS Infrastructure Security Compliance Division
(ISCD) published the Expedited Approval Program (EAP) guidance document that
was mandated by last year’s HR 4007. The document fulfills the new requirement
of 6
CFR §622(c)(4)(B) more than a month earlier than mandated by Congress. The
guidance document also includes the template for submitting the site security
plan suggested by 6
CFR §622(c)(4)(H)
The EAP program is briefly described on a new CFATS web page
and the document can be downloaded here.
I briefly discussed
the EAP concept in a blog post late last year.
EAP Schedule
The EAP program can only be used by Tier 3 and Tier 4
facilities. The deadlines for the program vary according to when the facility’s
Security Vulnerability Assessment was completed and the final tier assignment
made.
For facilities with a final tier assignment made before
December 18th, 2014:
∙ Notify ISCD of intent to certify
under the EAP – October 19th, 2015
∙ Certify compliance with EAP – November 18th,
2015
For facilities that were tiered after December 18th,
the notification deadline is either the one shown above or 90 days after the
tiering date, whichever is later. Similarly the certification deadline is 120 days
after the tiering date or the date listed above, whichever is later.
The Chemical Security Assessment Tool (CSAT) application
will begin to accept EAP notifications on June 16th, 2015 and
presumably EAP submissions 30 days later.
RBPS Enhancements
The site security plan requirements outlined in this
guidance document are based upon the Risk
Based Performance Standards guidance document published in 2009. The
guidance provided in this new document is, however, much more prescriptive than
the earlier guidance. This is intentional and in keeping with the Congressional
intent with the establishment of the EAP. This provides a facility with a level
of certainty not available when submitting under the standard site security
plan program (which remains an available option).
However, even with the prescriptive requirements for
security measures, ISCD realizes that not all security measures will actually
be required in every instance or they can be modified to a certain extent to
meet unique facility situations. Provisions have been made for facilities to
explain why certain prescribed security measures have not been taken and what
alternatives have been applied instead.
No Solicitation of
Public Comments
Congress specifically exempted ISCD from having to comply
with the ‘publish and public comment’ process in publishing this guidance
document. This was done in part to expedite the production of the document and
allow for expediting the site security plan approval process. The internal
justification for this exemption was that facilities do not have to use the EAP
program; it is entirely voluntary.
I will be looking at details of the enhanced RPBS guidance
in future blog posts.
Posts
No comments:
Post a Comment