Friday, September 8, 2017

ISCD Updates Two CSAT Manuals

Yesterday the DHS Infrastructure Security Compliance Division updated its Chemical Facility Anti-Terrorism Security (CFATS) program web site to provide links to new versions of two of its CFATS Chemical Security Assessment Tool (CSAT) 2.0 manuals. These two new manuals are not the simple tweaks and clarifications that we have been seeing in CSAT 2.0 manuals since the program was changed last October. They are significant re-writes.

The two new versions of the manual are:

Interestingly the new manuals are dated today, not yesterday.

The Site Updates

The most obvious web site update is found on the CFATS Knowledge Center page. This page provides a notice in the ‘Latest News’ section about the two new manuals with links to the manuals found in the ‘Documentation’ section of the page. Listings for the older versions of the manuals were removed from that section.

The main landing page does not contain any mention of the new documents, but it was updated with a link to a new version of the CFATS Personnel Surety Program page. That new page does not mention any program changes and still provides a link to the old PSP Manual. The CSAT page was not changed (still dated June 21st, 2017), but the link to the CSAT Portal Users Manual now takes you to the new manual through an updated intermediate page.

PSP Manual

The new PSP manual is a complete re-write of the manual with a completely new format. This means that it will be time consuming to determine what program changes (if any) have actually been made that were reflected in the new manual. At first glance, I do not see any major changes, nor do I expect there to be any since there was no update provided on the PSP web page. There may, however, have been some changes to the way the web site is used. More on that in a future post.

CSAT Portal Manual

The changes to the Portal Manual do not involve a complete rewrite so I can take a quick look at the table of contents to initially look for changes to this manual; and there are some interesting ones. It does not look like any real policy change, but there appear to have been some additions made to the CSAT Portal tool.

I do not see any changes in the table of contents until we get to Section 9, User Management Tab. First the manual completely changes Section 9.4, Users. That section not provides the following information:

9.4.1 Export User List
9.4.2 View User Information
9.4.3 Reset Password
9.4.4 Delete User Account
9.4.5 Administrator
9.4.6 Personnel Surety Program

A completely new subsection is then added; 9.5, Groups. That subsection includes:

9.5.1 Corporation Group
9.5.2 Create Group
9.5.3 Edit Group
9.5.4 Delete Group
9.5.5 Merge Group

So far, no new policy; just some added functionality and/or better listing of capabilities already existing within the system.

Next, we find that ISCD has flipped Sections 10 and 11. The new Section 10 addresses Personnel Surety Program issues. This is a complete re-write and probably is related to the changes in the PSP manual that I mentioned in passing earlier. I’ll probably address this new section in detail when I cover the new PSP manual. In the meantime, the following new subsections were added to Section 10:

10.1 Search Affected Individuals
10.2 Affected Individuals
10.2.1 Add Individual
10.2.2 View an Affected Individual
10.2.3 Edit an Affected Individual
10.2.4 Remove Affected Individual(s)
10.2.5 Bulk Upload
10.2.6 Export to PDF
10.3 User Defined Fields
10.3.1 Create User Defined Fields
10.3.2 User Defined Field List

The new Section 11 is just the old Section 10, Manage My Account. No other changes appear to have been made.

I have not yet gone completely through the manual to see if any significant changes have been made to any of the other portions of the manual. That is fodder for a potential future blog post, if there are any changes.


It is not unexpected to see a major rewrite of the PSP manual. ISCD has been implementing the PSP program in the hand-holding mode since its inception last year. I am sure that there have been a large number of lessons learned and hopefully this new manual accurately reflects those changes. I am more than slightly disappointed that there was not more of a formal role out of this new manual. As controversial as the PSP program has been since it was first mentioned, I would have thought that ISCD would have announced a webinar to explain what had been learned in the first year of the operation of this program.

At first glance it looks like the CSAT Portal Manual is just a routine update of both the CSAT site and the Users Manual. The only problem is that you cannot be sure about that without doing an almost line-by-line examination of the manual.

One of the things that ISCD changed when they started CSAT 2.0 was the removal of version numbers and change logs from their new publications. I suspect that this may have been a DHS wide requirement because most other DHS agencies have not been that user friendly in their publications. It does make it difficult for users of these manuals to keep up with what is going on in the program.

Most facility or corporate security managers do not hold just that job. It is an additional duty place on top of their normal corporate responsibilities. This means that they do not have the time to do the type of page-by-page analysis of new program manuals (and there are a bunch of manuals supporting the CFATS program) to ensure that they understand the changes that are being made in the program. Failure to understand those changes, however, could result in their organizations falling out of compliance with program requirements.

I hate to say this about anything involved with the government, but failure to properly document changes in program manuals is not fair. It puts an improper burden on the regulated facilities, a burden that most cannot bear, particularly the smaller facilities. DHS really needs to play fair with the CFATS community if it wants to continue to operate the program as a partnership with the chemical community rather than as an adversarial regulatory relationship.

No comments:

/* Use this with templates/template-twocol.html */