Tuesday, May 5, 2020

ISCD Publishes New CFATS FAQ – 05-05-20

Today the CISA Infrastructure Security Compliance Division (ISCD) published a new frequently asked question (and response) on the Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center. FAQ #1795 addresses the requirement for facilities to conduct annual audits of their site security plan (or alternate security plan as appropriate).

The new FAQ

FAQ #1795 - When is a covered facility required to conduct a Site Security Plan/Alternative Security Program (SSP/ASP) Audit?

Answer - A covered facility must conduct an audit of its compliance with its SSP/ASP no later than one year after the date of the SSP/ASP approval. Thereafter, it must conduct its annual audit no later than one year after the date of its previous audit.


It is just a little bit odd that the response does not include a reference. There is no law requiring a FAQ response to quote the appropriate place in the regulation or statute that provides the quoted mandate, but ISCD has been very good (almost compulsive) about including such references. For the record 6 CFR 27.225(e) contains the requirement for a facility to “conduct an annual audit of its compliance with its Site Security Plan.” All FAQ #1795 does is inserts a common regulatory definition of the term ‘annual’ in that requirement.

There is no listing in the ‘Latest News’ section of the Knowledge Center announcing the new FAQ. We will probably see on later this week.

NOTE: A couple of weeks back CISA started to add revision dates back to the web pages on the CFATS web site. Instead of putting a ‘last changed’ date on the bottom of the page as the standard used-to-be, CISA is adding an ‘Original Release Date: Last Revised:’ line just below the page title. I am glad to see them doing this. It makes it easier for gadflies like me to keep up with the changes.

BTW: The CFATS Knowledge Center page does not have the dateline added yet.

No comments:

/* Use this with templates/template-twocol.html */