Tuesday, May 30, 2017

ISCD Publishes June 2017 CFATS Update

Today the DHS Infrastructure Security Compliance Division (ISCD) published their June 2017 CFATS Monthly Update a couple of days early. Interestingly the update was announced (or at least noted) on their Chemical Facility Anti-Terrorism Standards (CFATS) landing page, but not the CFATS Knowledge Center. I expect that we will see it announced there in the coming days.

Changes in Information

ISCD continues their old technique of keeping 90+% of the verbiage on the Monthly Update the same; just updating (most) of the data that changes. Table 1 below summarizes the current facility data from last month and this month.

Current Facilities
May 2017
June 2017
Covered Facilities
Authorization Inspections
Approved Security Plans
Compliance Inspections
Table 1: Current Facilities

The decrease in the number of ‘Current Facilities’ with Authorization inspections almost certainly indicates that there continues to be facilities that are leaving the CFATS program. ISCD does not specifically include a reporting of that number, but we can get a pretty good guess from the figures that they provide in their ‘Since Inception of Program’ reporting. Table 2 shows a comparison of those numbers in the two latest reports.

Total Facilities
May 2017
June 2017
Authorization Inspections
Approved Security Plans
Compliance Inspections
Table 2: Total Facilities

Comparing the ∆ column (or the change between the two reports) we can see that there were at least 4 (+3) new authorization inspections conducted and 7 (+6) site security plans approved. Additionally, there were 148 (+73) compliance inspections completed. This should mean that we have had at least 82 (3 + 6 + 73) facilities leave the program in the Month of May. That should also mean that a total of 262 (180 + 73) new facilities were added to the CFATS program. The change in facility numbers pretty well tracks with what ISCD reported for the initial results for CSAT 2.0.

Missing Information

As long time readers might expect, there are additional pieces of information that I wish ISCD would include in their reporting. First I would like to see some additional reporting on the continued progress of the CSAT 2.0 implementation; numbers like the total number of Top Screen notification letters sent to date and the total number of Top Screen 2.0 submissions received.

Additionally, ISCD could have update the numbers that they have reported in the ‘**’ footnote in the Update. They continue to report that:

“DHS continues to issue new high-risk tiering determinations as Top-Screens are submitted. 2,268 [emphasis added] of the currently covered facilities were tiered using CSAT 2.0, and 302 [emphasis added] were tiered using the prior methodology.”

Finally, I have to harp on something or no one would believe it was me writing the blog. I really wish that ISCD would add go/no-go stats to their reporting on compliance inspections. It would be very informative to see whether or not there is an improvement over the nearly 50% no-go rate seen earlier in the program.

Manual Update

If you peruse (very closely) the updated CFATS landing page today you might have noticed that ISCD has also published another updated version of their CSAT 2.0 Security Vulnerability Assessment/ Site Security Plan Instructions manual. This is version 2.0.15. There are no details in the manual about what has been changed, but it looks like ISCD is continuing to tweak their manuals to improve clarity.

This was not announced on the CFATS Knowledge Center either. Again, we will probably see a note there in the next couple of days.

No comments:

/* Use this with templates/template-twocol.html */