Tuesday, June 30, 2020

Retrospective CFATS Cost Analysis – Other Missing Costs

This is the third post in a series on the recently published “Retrospective Analysis of the 2007 Chemical Facility Anti-Terrorism Standards”. The two earlier posts were:

Missing Cost Identification Methodology

While the analysis is certainly a valuable and commendable effort CISA is looking for an identification of costs that they may have missed. Using a similar process to the one I used in my analysis of missing cyber costs, I looked at each of the Risk Based Performance Standards in the RBPS Guidance document and identified the ‘security measures’ discussed for each RBPS. I then compared those to the security measures identified in the CISA analysis.

Since I have not implemented any of these security measures in an actual facility, I have no way of estimating their cost. For many of them, CISA would be able to use the same cost estimation methodology that they used in their analysis to identify reasonable cost estimates for the security measures. For security measures like ‘product stewardship’ and ‘inventory controls’, I think that CISA is going to need direct input from affected facilities.

RBPS Missing Costs

RBPS #1 – Restrict area perimeter – extensive data,

            Missing costs: security lights and protective force,

RBPS #2 – Secure site assets – overlap with RBPS #1,

            Missing costs: Security lighting and protective force

RBPS #3 – Screen and control access – not specifically addressed,

Missing costs: Personnel identification, hand carried item and vehicle inspections, and parking security

RBPS #4 – Deter, detect and delay – overlap with RBPS #1,

Missing costs: Security lighting and protective force

RBPS #5 – Shipping, receipt and storage – not specifically addressed,

Missing costs: Product stewardship and inventory control

RBPS #6 – Theft or diversion – not specifically addressed,

Missing costs: Inventory controls, procedural measures and physical measures

RBPS #7 – Sabotage – not specifically addressed but some overlap with RPBS #2 and #8,

Missing costs: Covered elsewhere

RBPS #8 – Cyber – not specifically addressed,

            Missing costs: see earlier blog post

RBPS #9 – Response – not specifically addressed,

Missing costs: Emergency plans and processes, emergency response equipment

RBPS #10 – Monitoring – not to be confused with ‘monitoring’ in RBPS #1 and #2 – covered,

RBPS #11 – Training – covered,

RBPS #12 – Personnel surety – covered,

RBPS #13 – Elevated threats – not specifically addressed,

RBPS #14 – Specific threats, vulnerabilities or risks – not specifically addressed,

RBPS #15 – Reporting of significant security incidents – not specifically addressed,

RBPS #16 – Significant security incidents and suspicious activities – not specifically addressed,

Missing costs: incident investigation

RBPS #17 – Officials and organization – covered,

Missing costs: cybersecurity officer

RBPS #18 – Records – covered

Public Comments

Once again, I would like to emphasize that CISA is soliciting public comments on this effort. Comments on CISA cost estimates, methodology and missing costs may be submitted via the Federal eRulemaking Portal (www.regulations.gov; Docket #DHS-2014-0016). Comments should be submitted by September 21st, 2019. Note: this is the 2014 CFATS advanced notice of proposed rulemaking docket.

I will be revising the format for the data in this and the earlier cybersecurity cost blog post for my own comment to be submitted.

No comments:

/* Use this with templates/template-twocol.html */