CSAT 2.0 Update – 10-17-16

Today the DHS Infrastructure Security Compliance Division (ISCD) made changes to the Chemical Security Assessment Tool (CSAT) website in its further implementation of CSAT 2.0 that started earlier this month. Today’s changes included two new web pages and the publication of a link to the new SVA-SSP manual that was announced earlier on the Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center.

SVA-SSP Pages

While the initial phases of the CSAT 2.0 rollout focused on the new Top Screen, ISCD has also made significant changes to the security vulnerability assessment (SVA) process and site security plan (SSP). Since a large portion of the earlier SVA process has been shifted to the new Top Screen the SVA has been reduced in scope and essentially combined with the SSP submission.

The CSAT web page now contains links to two new pages; one for the new SVA-SSP tool, one outlining changes to the SVA and SSP portion of that tool. The first provides a brief description of the new SVA-SSP tool and provides the official link to the new manual (through the typical DHS web site transition page). The second page provides a little more detail about new questions in the SVA portion of the tool and the more extensive changes in the SSP portion of the tool.

SVA-SSP Implementation

Facilities that complete the new Top Screen will end up in one of three general categories. The first (and largest) will be the facilities that will be notified that they are not considered to be at high-risk of terrorist attack and thus not covered by the CFATS program; they will not have to worry about the SVA-SSP. The second (probably the smallest group) will not have been covered by the CFATS program on October 1^st, but will now (because of new information and/or the new risk assessment process) be notified that they are required to submit an SVA-SSP within 120 days. The largest group will be facilities currently under the CFATS program (and most likely with a submitted, authorized, or approved SSP). Those facilities will have to make a facility by facility determination of whether or not they will have to revise their current SSP.

The middle group of facilities will continue to have the existing options for submission of Alternative Security Plans (ASP) or Expedited Approval Plans (EAP). Facilities notified of Tier IV ranking will be able to complete an ASP in lieu of the SVA and SSP. Facilities ranked I Tiers I thru IV may submit either an ASP or EAP in lieu of the SSP. These facilities will be given 120 days from the date of their notification letters to submit the new SVA-SSP.

Existing CFATS facilities that receive new notification letters confirming that they remain in tiered status will be told which chemicals of interest (COI) and security measures they are being tiered for. If the facilities existing SSP (submitted, authorized or approved) does not adequately cover the listed chemicals or security measures, the facility will have to submit a revision to their SSP.

In CSAT 1.0 there was an SSP revision tool and manual. There is not currently such a manual printed for CSAT 2.0. At least initially it looks like SSP revisions will be submitted using the new SVA-SSP tool. The SVA-SSP revision page notes that:

“For facilities that have previously submitted the SVA and SSP, the majority of their previously submitted information will be pre-populated into the new survey. Although CSAT 2.0 drastically reduces the number of overall questions, the tool includes some new questions and sections, which are outlined below to help facilities that fall into categories 1 and 2 above revise their surveys in an effective and efficient manner.”

New Cyber Questions

There are many new questions and I will be addressing some of them in future blog posts. Today I will briefly mention the new cybersecurity related questions for the SVA and SSP identified on the SSP Revisions page.

For the SVA portion of the tool, the new page notes that there are new questions for: “Identifying cybersecurity measures and vulnerabilities in cybersecurity”. That would be question #2.50.040. The response (pg 7) provides for a 4,000-character description of the “cybersecurity measures and any identified vulnerabilities found while doing this analysis.”

The SSP portion of the tool will retain the cybersecurity questions found in the previous SSP. Four new questions have been added; two questions addressing whether or not there are control systems and/or business systems that directly affect the security of listed COI. There is a follow-up question for each identifying the specific covered cyber systems at the facility.

For control systems question Q3.40.400 specifically notes that:

“Defining cyber control systems for your facility should be limited to those systems that have the ability to control the process and could result in a release or contamination of COI.”

For business systems question Q3.40.420 specifically notes that:

“Cyber business systems include those systems that manage ordering, shipping, receiving, and inventory of chemicals of interest and those systems that are connected to or manage physical security systems, control systems, and other critical systems.”