This is part of a continuing series of blog posts on the
newly released Expedited Approval Program (EAP) guidance
document for Tier 3 and Tier 4 facilities under the Chemical Facility
Anti-Terrorism Standards (CFATS) program. Other posts in the series are:
In this post I will look at how the guidance document is
organized and how it is intended to be used. As I noted earlier this program
was mandated by Congress as a means to allow Tier 3 and Tier 4 facilities to
have an easier method of determining what security measures meet the Risk
Based Performance Standards (RBPS) that are required for all facility site
security plans.
Instead of having to determine what security measures might
meet the appropriate standards (and then have ISCD inspectors come out and
agree or disagree in the SSP authorization/approval process) Congress
authorized ISCD to specify minimum security requirements that would meet those standards
for Tier 3 and Tier 4 facilities. So, even if a facility decides not to use the
EAP process, this document can be used to supplement the RBPS guidance to
select appropriate security measures for the standard SSP process.
COI Specific Security
Measures
While most security measures apply to all facilities, there
are many measures that are only required if a specific category of chemical of
interest (COI) is listed on the facilities security vulnerability assessment.
Those security measures are clearly marked and the facility is given the option
to not use those measures by indicating that the listed COI category is not
found on the facility.
Deviations
In establishing these minimum security measures ISCD recognizes
that there will be variations in how that measures are applied. They have
defined two categories of variations, material deviations and non-material
deviations. For many of the security measures specified there will be
alternatives that are spelled out in the EAP that can be used to meet that
requirement. The introduction to the EAP uses the example of the requirement
for an intrusion detection system (IDS); the non-material deviations for that
include a listing of different detectors that could be used in such a system.
Anytime that a facility chooses not to use one of the
specified security measures that is considered a material deviation from the
EAP. Each material deviation must be documented and an explanation given for
how an alternative is used to meet the standards specified in the RPBS. This
means that the metrics provided in the RBPS guidance document for that
particular standard must be referenced with an explanation of how they are
being met.
As part of the review process for the EAP SSP submissions,
ISCD will closely look at each of the material deviations to determine whether
or not the substitute measure meets the RPBS for that particular metric. If it
does not, ISCD will notify the facility which material deviations were not
adequate and how to correct them.
Planned Measures
A facility does not have to have all listed security
measures in place when they submit their EAP SSP. The EAP provides for the use
of planned measures to fulfil some requirements. A planned measure must have “a
clear timeline for implementation not to exceed twelve (12) months from date of
the approval” (pg 9). It is not specifically stated in the EAP, but the 12
months is probably related to the time frame after the approval of a site
security plan that a facility should begin to expect a compliance inspection of
that SSP by ISCD.
Planned measures have to be specifically identified in the
SSP submission. That identification needs to include a description of the
systems to be implemented and the time line for that implementation. If a
planned measure cannot be met within that 1 year time limit, the measure
becomes a material deviation from the RBPS and must be separately justified.
Certification
In addition to completing the EAP SSP documentation the
facility owner or operator will also be required to certify that the SSP meets
the requirements of 6
USC §622(c)(4)(C). A copy of the certification document is included as Attachment
1 of the EAP guidance document (pg 60).
Approval and
Inspection
Once the facility submits the SSP documentation and
certification (presumably via the CSAT tool, but that has not been officially
announced yet), DHS has 100 days to approve the SSP. The only reasons for
disapproval would be if a facility did not acknowledge implementing all of the
appropriate security measures for the COI identified at that facility or had
submitted inadequate substitute measures for one or more material deviations.
At some point at least 12 months after the site security
plan is approved by DHS, the Chemical Security Inspectors from ISCD will visit
the facility to conduct a compliance inspection. Theoretically, this could be
the first time that the facility was visited by a CSI. In practice almost all
facilities currently covered by the CFATS program have been visited by a CSI
team at least once. The only possible exceptions are facilities that have been
recently added to the program.
If that compliance inspection finds that any of the
implemented or planned security measures reported in the SSP are insufficient
to meet the requirements for the RBPS, DHS may require additional security measures
to be implemented or may decertify the facility.
Posts
No comments:
Post a Comment