Wednesday, April 26, 2017

DHS Publishes CSAT 2.0 Results Webinar Slides

Today the DHS Infrastructure Security Compliance Division (ISCD) published a copy of the slides used in their webinar earlier this week concerning the tiering results from the initial batch of facilities that have submitted new Top Screens under CSAT 2.0. I discussed this webinar earlier this week and, as I suspected, the early slides that I missed help clear-up some of the questions that I raised in my earlier post.

Risk Assessment Methodology

A couple of the slides provide some additional information about the new risk assessment process that complement the new CSAT 2.0 tools. Not a great depth of details, but it does look at some of the consequence, vulnerability and threat considerations that are considered by the new methodology. I am relatively sure that these are not all of the considerations used in the new risk assessment and, of course, there is no information on the weighting applied to the various considerations.

I do not think that some people in the security community that had concerns about the lack of threat analysis in the earlier risk assessment methodology are really going to be very happy about the considerations shown in the table on slide 4. Many of the comments that I have seen and heard about the ‘threat’ issue were more concerned about potential threat actors and an assessment of their intent and capabilities to carry out attacks on high risk chemical facilities. I do not understand how anyone could expect that to be included in the Top Screen assessment since, even if accurate information was available to conduct such an assessment, that information would only be applicable to a specific point in time.

Numbers Review

As I noted in my earlier post I missed the early slides in the presentation earlier this week. The one in particular that I was concerned about was slide #5. It provides more detail about the number of facilities involved to date (and into the future) in the new Top Screen submissions. It seems that ISCD is intending to send out 27,000 Top Screen letters; a number smaller than the 40,000+ that I had expected. The difference is that ISCD did not send out letters to facilities that previously submitted Top Screens that did not report a screening threshold quantity (STQ) of any of the 300+ chemicals of interest (COI).

ISCD reports that they have sent out more than 10,000 Top Screen notification letters and as of April 3rd had received over 10,000 Top Screen 2.0 submissions. The two numbers are probably only coincidentally the same as all of the facilities notified almost certainly have not yet completed their Top Screens. But remember, ISCD in their announcement in October said that facilities did not need to wait to receive their notification letter to submit a new CSAT 2.0 Top Screen.

My Analysis Questions

It looks like many of the questions that I raised in the earlier post about analysis issues were due to poor note taking on my part. For example my questions about the 5% reported moving from untiered to tiered were answered by the wording: “5% of the currently untiered populations”.

Since all currently covered facilities were included in the 27,000 figure, this must mean that about 24,000 facilities that are not currently tiered (covered by CFATS rules) will receive a Top Screen notification letter. This means that we can probably expect about 1,200 new facilities to be added to the CFATS roles.

Similarly, the 5% decrease was based upon the number of currently tiered facilities. This means that about 150 facilities are expected to ‘Tier out’ of the CFATS program. This means that we should expect a net gain of about 1,050 facilities after all 27,000 Top Screens are evaluated. That is about a 30% increase in covered facilities.

The question still remains about what the missing 9% (51% moving between tiers + 35% staying within their tier + 5% tiering out = 91%) of the currently tiered facilities are doing.

Received a Tiering Letter?

The slides also outline what actions a facility needs to take once they receive their tiering letter after the submission of the CSAT 2.0 Top Screen.

The only new thing here is that facilities with a currently approved site security plan (SSP) may (that is a complete separate blog post) have to amend their site security plan to reflect changes in COI and/or security issues. ISCD is giving facilities 30-days to submit those SSP changes. As always, if that is not going to be enough time, request an extension.

Re-Do Webinar

As I mentioned on Monday, ISCD is re-presenting this webinar on May 3rd. Apparently there are still open slots. Sign-up if you have any questions that you want to ask the presenters. Otherwise, I expect that ISCD will be making a recording of the webinar available on their CFATS Knowledge Center.

No comments:

/* Use this with templates/template-twocol.html */