This is the third post in a series on the recently
published “Retrospective Analysis of the 2007 Chemical Facility
Anti-Terrorism Standards”. The two earlier posts were:
Missing Cost Identification Methodology
While the analysis is certainly a valuable and commendable
effort CISA is looking for an identification of costs that they may have
missed. Using a similar process to the one I used in my analysis of missing
cyber costs, I looked at each of the Risk Based Performance Standards in the RBPS
Guidance document and identified the ‘security measures’ discussed for each
RBPS. I then compared those to the security measures identified in the CISA
analysis.
Since I have not implemented any of these security measures
in an actual facility, I have no way of estimating their cost. For many of
them, CISA would be able to use the same cost estimation methodology that they
used in their analysis to identify reasonable cost estimates for the security
measures. For security measures like ‘product stewardship’ and ‘inventory
controls’, I think that CISA is going to need direct input from affected
facilities.
RBPS Missing Costs
RBPS #1 – Restrict area perimeter – extensive data,
Missing costs:
security lights and protective force,
RBPS #2 – Secure site assets – overlap with RBPS #1,
Missing
costs: Security lighting and protective force
RBPS #3 – Screen and control access – not specifically
addressed,
Missing costs: Personnel
identification, hand carried item and vehicle inspections, and parking security
RBPS #4 – Deter, detect and delay – overlap with RBPS #1,
Missing costs: Security lighting
and protective force
RBPS #5 – Shipping, receipt and storage – not specifically addressed,
Missing costs: Product stewardship
and inventory control
RBPS #6 – Theft or diversion – not specifically addressed,
Missing costs: Inventory controls,
procedural measures and physical measures
RBPS #7 – Sabotage – not specifically addressed but some
overlap with RPBS #2 and #8,
Missing costs: Covered elsewhere
RBPS #8 – Cyber – not specifically addressed,
RBPS #9 – Response – not specifically addressed,
Missing costs: Emergency plans and
processes, emergency response equipment
RBPS #10 – Monitoring – not to be confused with ‘monitoring’
in RBPS #1 and #2 – covered,
RBPS #11 – Training – covered,
RBPS #12 – Personnel surety – covered,
RBPS #13 – Elevated threats – not specifically addressed,
RBPS #14 – Specific threats, vulnerabilities or risks – not specifically
addressed,
RBPS #15 – Reporting of significant security incidents – not
specifically addressed,
RBPS #16 – Significant security incidents and suspicious
activities – not specifically addressed,
Missing costs: incident investigation
RBPS #17 – Officials and organization – covered,
Missing costs: cybersecurity
officer
RBPS #18 – Records – covered
Public Comments
Once again, I would like to emphasize that CISA is
soliciting public comments on this effort. Comments on CISA cost estimates, methodology
and missing costs may be submitted via the Federal eRulemaking Portal (www.regulations.gov; Docket #DHS-2014-0016).
Comments should be submitted by September 21st, 2019. Note: this is
the 2014 CFATS advanced notice of proposed rulemaking docket.
I will be revising the format for the data in this and the earlier
cybersecurity cost blog post for my own comment to be submitted.
Posts
No comments:
Post a Comment