CFATS PSP Instructions Not Available 4-6-20

Today the Chemical Facility Anti-Terrorism Standards (CFATS) program landing page was updated with a reference to the signing into law of the  Coronavirus Aid, Relief, and Economic Security (CARES) Act. That act extended the CFATS program authorization until July 23^rd, 2020. As is usual when this page is updated, I went back and reviewed some of the sub-pages to the web site, looking for changes. Instead of finding any significant changes I found that there was no longer any actual link to the Personnel Surety Program (PSP) instruction book. This would be the Chemical Security Assessment Tool (CSAT) manual for completing the PSP program submissions.

There are two different paths that people should be able to use to get to the PSP manual. Both start on the landing page. The first (and shorter path) goes:

1. CFATS Resources to;

2. Chemical Security Assessment Tool (CSAT) 2.0 Personnel Surety Program Instructions to:

3. Guidance Document  back to #2.

The second path goes:

1. Risk-Based Performance Standards to;

2. RBPS 12 - Personnel Surety to;

3. CFATS Personnel Surety Program (PSP) to;

4. Chemical Security Assessment Tool (CSAT) 2.0 Personnel Surety Program Instructions to;

5. Guidance Document back to #4

The unintended loop set up by the ‘Guidance Document’ (different links for the two apparently identical versions) in the two paths is what prevents folks from getting to the actual document. None of the other CSAT instruction manuals have a ‘Guidance Document’ link. That makes a certain amount of sense since these are not (for the most part) guidance documents, but instructions for using the on-line tools. Why the PSP instructions need the guidance document disclaimer is not clear.

I cannot tell when this manual became unavailable. For the most part DHS stopped dating their web site pages some time ago. Because of the involvement of the ‘Guidance Document’ linkage in the problem, I suspect that this dates back to the DHS implementation of Executive Order 13,891, Promoting the Rule of Law Through Improved Agency Guidance Documents, in February of this year.

By the way, I went back to the latest link that I have for the document and that returns a ‘Page Not Found’ page. This is unusual, these older links typically remain active for quite some time.

Draft OSHA PSM Guidance Documents Published

Yesterday I received an interesting email from the folks at DHS that are providing administrative support for the DHS-OSHA-EPA response to the President’s Executive Order on Improving Chemical Safety and Security (EO 13650). The email reported that OSHA had published three new draft guidance documents for their Process Safety Management (PSM) program and noted that OSHA was soliciting public comments about these documents.

The three new guidance documents are for [NOTE: all links are for .PDF downloads]:

• Explosives and Pyrotechnics Manufacturing;

• Small Business Compliance; and

• Compliance at Storage Facilities

A brief review of the Storage Facility guidance document did not show any new information or outline any new requirements not already spelled out in the PSM guidance document. It looks like the intent is to provide a fairly brief (15 page) overview of the PSM requirements for facilities that may have thought that the PSM standard did not really apply to them. If that is the intent a brief section outlining how a facility determines if it is covered by the standard would have been appropriate.

OSHA is soliciting public comments on these documents. Written comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket #OSHA-2016-0021).

Commentary

I have two points of interest to discuss without having done a detailed review of any of the three documents. The first is a complaint about the administration of this process and the second is a pet peeve about the PSM program.

I am very disappointed in the way that OSHA is going about this publish and comment process. There is no notification about these documents on the OSHA EO 13650 web site nor has there been a notice published in the Federal Register. That combined with the very short (30-day) comment period makes me wonder just how interested OSHA and the Administration is in receiving public comments on these documents.

Since these are just guidance documents with no real information, I suppose OSHA is under no legal obligation to go through a formal publish and comment process. But, if you want to keep up appearances, especially this late in the life of the current Administration, then a formal publication of a request for comments in the Federal Register with a reasonable 60-day comment period would seem to be much more appropriate.

There are a series of ‘frequently asked questions’ at the end of the guidance documents and one of those in the Storage Facilities document (and most likely the others) is responsible for triggering a mini-diatribe about the major failing (IMNSHO) of the PSM program. The FAQ asks: “Must employers inform OSHA if the standard applies to them?” The OSHA response (in part) is very important:

“No. Unlike various other environmental, health, and safety regulations, the PSM standard does not have notification or reporting requirements. This means employers do not need to inform OSHA whether or not they meet the PSM applicability criteria. They need only ensure that they fully comply with the mandatory PSM requirements for all processes that meet the applicability criteria.”

This is one of the reasons (another being a totally inadequately sized inspection force) that PSM covered facilities seldom see an OSHA inspector until after a major accident has occurred; an accident that frequently would have been prevented if the PSM standard had been met. While some facilities deliberately ignore the safety standard, most facilities (particularly the smaller ones) fail to meet the standards set forth in the PSM program out of program ignorance and the lack of chemical safety experience. An active compliance inspection program before accidents happen would certainly help reduce the accident rates.

DHS Publishes Information Sharing Guidance Documents

Today the Department of Homeland Security published a guidance notice in the Federal Register (81 FR 8214) providing a link to their Automated Information Sharing (AIS) web site. This web site provides the interim guidance on the sharing of information about cyber threat indicators between the Federal Government and the private sector required under §103 and §105 of the Cybersecurity Information Sharing Act (CISA) of 2015 that was passed as Division N of the Consolidated Appropriations Act, 2016 (PL 114-113, not yet published).

The AIS web site contains links to four guidance documents:

• Non-Federal Entity Sharing Guidance;

• Privacy and Civil Liberties Interim Guidelines;

• Federal Government Sharing Guidance; and

• Interim Operational Procedures

The site also contains a link to the on-line form that allows submission of information on threat indicators to the automated information sharing system.

A quick review of these complex documents did not show anything specific to the sharing of information about sharing information about cyber threat indicators specifically related to industrial control systems. Section 102(9)(B) of CISA Act of 2015 did, however, specifically include in the definition of information system “industrial control systems, such as supervisory control and data acquisition systems, distributed control systems, and programmable logic controllers”.

I’ll probably have a more detailed look at these documents in a later blog post.