Sunday, July 12, 2020

Comments on Retrospective CFATS Cost Analysis

Last month the Cybersecurity and Infrastructure Security Agency (CISA) announced the availability of the “Retrospective Analysis of the 2007 Chemical Facility Anti-Terrorism Standards” for public review and comment. In three earlier posts I provided an analysis of document and the data shortcomings that I had discovered. Those three posts were:

In this post I will be summarizing the missing cost estimates from those earlier documents and I will be submitting a copy of this post as my contribution to the comments that CISA has solicited.

First, CISA is to be commended, both for the presentation of this document and the effort that the Agency has expended in its preparation. The use of the data submitted by CFATS covered facilities through the Chemical Security Assessment Tool (CSAT) for the preparation of this data demonstrates the continuing saga of innovation in this regulatory program. The folks at the Infrastructure Security Compliance Division are to be saluted on their ongoing efforts to make the CFATS program more effective and efficient.

CISA’s use of the ‘proposed security measure’ comments in the CSAT submissions for the facility site security plans was a very good way of identifying new capital costs that facilities were intending to incur is support of their implementation of the CFATS program at their facilities. Having said that, however, reliance on that technique is also the cause of the major shortcomings of this cost analysis. CISA assumes that ‘current’ security measures documented in the site security plan (SSP) were in existence before the facility began the development of their SSPs. While this is almost certainly true for some of the major components of the physical security apparatus (fences, gates and guard forces for example), many facilities incurred costs improving their security programs through the long process of site security plan approval process that facilities went through in the earlier years of the CFATS program.

Additionally, many of the security improvements that were put into place by facilities were not capital expenditures. Personnel costs (including training at all levels in the organization) and security consultation/integration costs in the early stages of program implementation would not typically be included in capital costs. Many of those types of costs would be incurred before the SSP was submitted, but after the facility was identified as a high-risk facility covered by the program. CISA is only going to be able to identify those costs by feedback from the affected facilities.

Finally, there is one other category of costs that are not readily available from the current community of CFATS covered facilities; those costs incurred by facilities to reduce their risks to the extent that they would no longer be covered by the CFATS program.

 RBPS Not Specifically Coved

Looking through the retrospective analysis document, it quickly becomes apparent that CISA has expended a great deal of effort to address costs associated with the physical security of facilities and assets under the CFATS program. Unfortunately, physical security efforts are only a portion of the Risk Based Performance Standards that facilities must address in their site security plans. I can find no mention of measures supporting the following RBPS in the CISA document:

• RBPS #8 – Cyber,
• RBPS #9 – Response
• RBPS #13 – Elevated threats,
• RBPS #14 – Specific threats,
• RBPS #15 – Reporting of significant security incidents,
• RBPS #16 – Significant security incidents and suspicious activities,

With the exception of RBPS #8 and #9, the costs incurred meeting the requirements of these RBPS would be relatively low compared to the physical security costs addressed by CISA. Analysis of the costs associated with these RBPS need to address expenditures for each of the security measures listed in the RBPS Guidance document for those RBPS.

RBPS #8 - Cyber

None of the cyber related security measures listed in the Guidance are even mentioned (with the noted exceptions) in the Assessment. These measures include:

• Security policy – no matches,
• Access control – only related to facility physical security measures,
• Personnel security – no matches,
• Awareness and training – no matches,
• Monitoring and incident response – no matches,
• Disaster recovery and business continuity – no matches,
• System development and acquisition – no matches,
• Configuration management – no matches, and
• Audits – multiple mentions of non-cyber specific ‘annual internal audits’

Additionally, facilities could be expected to employ one of more of the following cybersecurity tools or processes in their efforts to protect their industrial control systems, security systems and information systems under RPBS 8:

• Firewall – no matches,
• Intrusion detection – only related to facility physical security measures,
• Anti-virus – no matches,
• Network segmentation – no matches,
• Remote access controls – no matches,
• Virtual Private Network – no matches,

The comments provided with each security measure refers to search results for the item in Assessment document.

RBPS #9 – Response

None of the security measures described in the Guidance document associated with RBPS 9, Response, are mentioned in the Assessment. These include:

• Emergency plans and processes, and
• Emergency response equipment

As with most of the security measures found in the Guidance document, these two were addressed to some extent in most facilities prior to their being notified that they were covered facilities under the CFATS program. Still, most facilities had to undertake additional efforts to ensure that they met the metrics for RPBS #9 listed in the Guidance.


In closing, I would like to reiterate my support for the effort that CISA has taken to date in preparing their assessment. However, there are some shortcomings in the processes and scope of that assessment that CISA is actively trying to address by soliciting comments on their efforts to date. I expect that there will be a significant response by the regulated community. To receive more comprehensive results, CISA is probably going to have to directly contact past and present covered facilities with specific questions about the costs that they incurred in preparing and implementing their site security plans.

I will be submitting a copy of this blog post to, Docket #DHS-2014-0016.

No comments:

/* Use this with templates/template-twocol.html */