Tuesday, April 20, 2021

CISA Integrated Operations Division

This last weekend I received an interesting direct message on one of my social media accounts asking if I had ever taken a look at CISA’s Integrated Operations Division. I had not, but before I do, I need to take a brief side step and look at a piece of my governmental history.

Chain of Command

Every soldier, sailor, airman and marine learn one basic lesson quickly in their initial training; the chain-of-command. The chain-of-command is the legal fiction that there exists a direct line of authority from the President down to the lowest enlisted members of the Armed Forces. Each and every recruit is required to memorize the title and name of every person in their chain-of-command.

While such a direct linear chain-of-command may have existed at some point in our nation’s history, the structure of a modern military is no longer so clearly defined. I had this fact driven home for me when I served in the G3 Emergency Operations Center in Berlin in the late 70’s and early 80’s. That time was a very warm period of the Cold War and Berlin was, as usual, smack in the middle of things. In the EOC we served two masters; the Brigadier General commanding the Berlin Brigade and the US Commander of Berlin, a Major General. For the BG we were a tactical operations center that typically went ‘to the field’ once a year for a tri-partite war game with our British and French allies.

For the USCOB, however, we were the EOC for a politically responsive military command. The Major General reported directly to the US Ambassador for Germany and we routinely communicated directly with the Pentagon and the National Command Authority as incidents evolved in our area of operations. As political tensions escalated, we frequently operated as both the EOC and the TOC. As operations NCO’s we had to carefully be fully aware of in which role we operated, in each communication in which we took part.

Our chain-of-command in each role was different and would frequently shift in the middle of an operation as the political realities changed around us. Fortunately, we had a great operations officer and an experienced Senior Operations NCO that were aware of the potential problems. They kept us aware of the organizational status of our operations, especially when that status changed in the middle of an operation. This helped us ensure that we did not make any serious reporting or coordination mistakes.

Integrated Operations Division

CISA is the Cybersecurity and Infrastructure Security Agency. They make most of their news recently in their cybersecurity role. The infrastructure security portion of the Agency is, however, a fully functioning and important part of CISA. A major functional part of that other-than-cyber part of CISA operations is found in the Integrated Operations Division. They provide “a national capability to deliver CISA services to our stakeholders and partners across state and local governments and the critical infrastructure community.”

Operating offices out of each of ten CISA Regions (patterned after the FEMA regional organization) the IOD provides local logistical support for CISA personnel in the realms of:

• Chemical Security Inspectors (CFATS program),

Protective Security Advisors,

• Cybersecurity Advisors, and

Emergency Communications Coordinators

These regional offices also serve as a point-of-contact for State, local and tribal governments for coordination and support from CISA.

IOD and CFATS

Here is where stuff starts to get complicated. First off, the Chemical Facility Anti-Terrorism Standards (CFATS) program is run by the Office of Chemical Security (OCS) out of the CISA Infrastructure Security Division. OCS is responsible for:

• Developing and maintaining the Chemical Security Assessment Tools (CSAT) used by facilities to provide information to DHS about their chemical security processes,

• All of the back-end operations of the risk assessment process which is used to determine which reporting facilities are considered to be at high-risk of terrorist attack and thus covered by the CFATS program,

• First authorizing and then approving each facility site security plan, and

• Ensuring that covered facilities remain compliant with their approved site security plan responsibilities.

The on-site eyes and ears of OCS are the Chemical Security Inspectors. These are the valued members of the CFATS teams that work directly with the covered facilities in helping them develop effective site security plans and then ensure that they comply with the approved plans and remain in compliance with them over time. The CSI work out of the CISA Regional offices.

Each Regional Office has a Chief of Chemical Security. This is the ranking Chemical Security Inspector in the region who is responsible for the operations of the CSI in that Region. In addition to ensuring that all chemical security inspections, audits and assistance visits are accomplished in a timely and effective manner, the Chief is also responsible for providing response to State, local and Tribal governments in the region in matters related to chemical security, providing outreach to chemical facilities within the region about their reporting responsibilities under the CFATS program, and supporting chemical facilities not covered under the CFATS program is assessing their facility security.

The thing that is not clear to me is to whom does the Chief of Chemical Security report? Certainly, in many of the day-to-day activities of the CSI is responsive to the local official running the Regional Office. But for the purposes of ensuring that the requirements of the CFATS program are met, the Chief should be directly responsible to OCS. One would like to think that there should be no conflicts between the competing requirements of the Regional Office and OCS, but anyone that has ever worked with bureaucracies knows that they seldom work as planned.

Now I have heard nothing about any specific conflicts between regional offices and OCS, but professionals would have to acknowledge that there was the potential for conflict. When organizations are set up in ways that make for potential conflict, controls have to be put into place to identify such conflict early on and resolve that conflict before it gets too far out of hand. In the federal government, the agency responsible for identifying and resolving these types of internal conflicts is the Inspector General. The DHS IG should set up a periodic review of the situation in the CISA Regional Offices to ensure that conflicts between IOD and OCS priorities to not hinder the efficient oversight of the CFATS program.

No comments:

 
/* Use this with templates/template-twocol.html */