Review – ChemLock and Risk Based Performance Standards

This is part of a series of blog posts looking at the potential for the authorization of CISA’s existing ChemLock program and using it as a voluntary replacement for the now defunct Chemical Facility Anti-Terrorism Standards (CFATS) program. Other posts in this series include:

• CFATS is Dead,

• Making ChemLock Safety Act Compliant – ChemLock Program Background,

• ChemLock and Tiering,

• Reader Comment – TSDB Screening for ChemLock,

• ChemLock and TSDB Screening.

NOTE: Earlier articles in this series have been removed from the CFSN Detailed Analysis paywall and are available to the public.

One of the key concepts upon which the CFATS program was founded is that the diversity of chemical facilities makes it nearly impossible to establish a security program which would fit each and every facility. So, when the CFATS regulations were written, DHS attempted to describe the outcome that they wanted to see from facility security programs rather than mandate what security measures facilities would be required to use. These risk based performance standards (RBPS) were codified at 6 CFR 27.230. Any authorization of the ChemLock program should direct CISA to take the same tack in making the program Safety Act (6 USC 441 et seq) compliant.

The current ChemLock security goals, properly fleshed out, could easily become the basis for a quasi-regulatory scheme by which facilities could be judged to be eligible for SAFETY Act protections. A version of the CFATS RBPS Guidance document would have to be created, tailored to the six security goals included in the updated ChemLock program and the proposed 5 risk tiers proposed in my earlier posts.

CFATS in 2021

As we start a new year and a new Congress (the 117^th, for the record) it might be appropriate to take a look at what we can expect in the Chemical Facility Anti-Terrorism Standards (CFATS) program. First and foremost, the chemical security inspectors will continue their work with CFATS covered facilities to ensure the security of high-risk chemical facilities.

Legislation

First, since the program authorization was extended for three years in the last session of Congress, I do not expect to see any major congressional legislative activity this year. There may be some bills introduced attempting to tweak the program around the edges, but I would not expect them to see any significant committee activity on those bills.

There is one potential exception to this, depending on what comes out of the investigation of the Christmas bombing in Nashville. I have yet to see any news on the type of explosive that the bomber (allegedly Anthony Quinn Warner) used, but if this was (as I suspect) an improvised explosive device rather than commercial explosives, there are going to be questions about how he obtained the ingredients to make the large explosive device that damaged 41 buildings in downtown Nashville.

So far there has been minimal outrage from Rep Cooper (D,TN), Sen Alexander (R,TN) or Sen Blackburn (R,TN) about the bombing, mostly because no one was killed except the bomber. That could change depending on what news comes out of the investigation. That could result in legislation addressing some sort of ‘shortcomings’ in the CFATS program that allowed the bomber to obtain the material used in the vehicle borne improvised explosive device (VBIED).

If ammonium nitrate was one of the precursors in that bombing, then there will be a completely different type of legislative explosion forth coming since DHS has not implemented the 2007 congressional mandate for ammonium nitrate security regulations. While that attempted rulemaking is scheduled to be revisited this year, congress could direct CISA to implement the costly regulations proposed in 2011.

Regulations

As I reported last month CISA has announced that it intends to publish an advanced notice of proposed rulemaking (ANPRM) to make some limited changes to the Appendix A list of DHS chemicals of interest (COI). The notice in the Fall 2020 Unified Agenda indicates that CISA would like to see all of the Division 1.1 explosive chemicals removed from the COI list. Security for these chemicals is already covered under regulations from the Bureau of Alcohol, Tobacco, Firearms and Explosives, so CISA and the explosives industry believe that the CFATS regulations may be duplicative.

Interestingly, this probably would not provide much relief to manufacturers of those explosives. Many of the chemicals that they use to make these Division 1.1 materials are also covered under the CFATS program. Most of those precursors are not release (fire or explosion) hazard chemicals so the required security measures would be more targeted against theft (see my discussion above), so the cost of security might be lower for manufacturers.

According to the Unified Agenda, CISA was targeting January 2021 as the publication date for the ANPRM, but nothing has yet been submitted to the OMB’s Office of Information and Regulatory Affairs (OIRA) so that date is extremely unlikely. Again, the investigation into the Nashville bombing may slow down the progress on this rulemaking.

RBPS Guidance

One of the things that I have not seen any mention of is a proposal to update the Risk-Based Performance Standards (RBPS) Guidance document. Readers will recall that back in May of last year the GAO specifically called CISA to task about the outdated guidance in that document for cybersecurity measures. This is hardly surprising since the document dates back to 2009, a year before Stuxnet proved to the world that industrial control systems were vulnerable to attack.

Unfortunately, the entire document is out of date, not just the portion dealing with cybersecurity. The staff at the Infrastructure Security Compliance Division did a good job in publishing the document in short order as the CFATS program was being stood up. ISCD and industry have learned a lot of valuable lessons in the 11+ years since that document was published so it is long past time for the guidance to be updated.

Guidance documents are not listed in the Unified Agenda so we would not expect to see any official advanced notice. I had hoped to hear, however, some hint of an announcement about this during the December Chemical Security Summit (CSS) webinars. Unfortunately, nothing was said about updating this document. I do expect to see some news in this area as the year progresses.

Voluntary Programs

Almost two years ago Director Wulf mentioned in a congressional hearing on the CFATS program that DHS was looking at using the expertise that the Department had developed in the CFATS program implementation in standing up a voluntary chemical security program for facilities that were not covered by CFATS.  During the December 16^th CSS webinar Ann Hunziker Boyer from ISCD made a presentation about what that program could look like. While this program is still early in the development process she made it clear that ISCD was most concerned with the almost 40,000 facilities that had been required to complete Top Screens due to the presence of COI, but had not been declared to be at high-risk of terrorist attack that would place them in the CFATS program.

Again, the Nashville bombing could have an impact on the roll out of this program. If the source of the VBIED precursor chemicals were from CFATS covered facilities, then this program will almost certainly be pushed back as ISCD would be forced to concentrate on a review and revamp of the security measures for those chemicals. On the other hand, this program could become a much higher priority if the chemicals came from one or more facilities that were not under the CFATS umbrella.

ISCD Updates CSAT 2.0 Web Site

Last week the DHS Infrastructure Security Compliance Division (ISCD) updated their Chemical Security Assessment Tool (CSAT) web page; this is part of the extensive web site for the Chemical Facility Anti-Terrorism Standards (CFATS) program. The only change to the CSAT page was the addition of a link to the new CFATS Site Security Plan (SSP) Submission Tips web page.

This new web page is part of the on-going ISCD outreach program to the CFATS regulated community. It is not a substitute for the SSP manual and the Risk Based Performance Standards (RBPS) Guidance manual, but rather a highlight of those types of things that have apparently been found lacking in many SSP submissions in the past. It highlights four major areas of concern:

• Consider what security measures to address;

• Detail current security measures;

• Describe planned security measures; and

• Specify facility-wide or asset-specific security measures

 What Security Measures

Of course, facilities are going to need to address security measures in each of the 18 RBPS that are applicable to the DHS chemicals of interest (COI) identified on the facility tiering letter. This section of the web page addresses five “overarching objectives” of the SSP:

• Detection;

• Delay;

• Response;

• Cyber; and

• Security Management

These are covered in short (one paragraph) discussions and links to the four RBPS fact sheets that ISCD began issuing earlier this year:

RBPS 8, Cyber Fact Sheet  

RBPS 9, Emergency Response Fact Sheet  

RBPS 12, Personnel Surety Program Fact Sheet  

RBPS 18, Records Fact Sheet 

Current Security Measures

This section briefly covers two rather broad topics:

• Be as detailed as possible; and

• Don’t overlook safety and environmental measures already in place that contribute to security.

In my conversations with folks in the field the first point is probably the most important for a successful SSP submission. This new web page says it well and succinctly:

“The text boxes in the Chemical Security Assessment Tool’s (CSAT) (/chemical-security-assessment-tool) SSP application have been included so that facilities can more fully describe current security measures, including how the measures address the relevant RBPS. The better DHS can conceptualize and understand your approach to security measures, the better DHS can evaluate whether they meet the applicable RBPSs.”

Facility-Wide vs Asset-Specific

The discussion here is important, though more than a little simplified (to be expected in a short document like this). It boils down to this. Security measures can be quite expensive, especially as the size of a facility increases. Since different types of COI may require different types of security measures, a facility may be able to significantly reduce costs by confining certain security measures to just those areas where their listed COI are stored or handled. Provisions are made in the CFATS to allow facilities to do this.

Commentary

Again, ISCD has consistently tried to reach out to the CFATS community and provide the necessary information to successfully comply with the program requirements. This is part of that outreach. It is not (nor was it intended to be) the ultimate word in developing a successful SSP submission. It is just part of the process.

Facility security personnel will find this helpful only if they are familiar with the RBPS Guidance document and the SSP manual. Another source of useful information in this matter are two of the recently published presentations from the 2017 Chemical Sector Security Summit:

CFATS Regulatory Update

CFATS Compliance Lessons Learned

In fact, the CSSS web site has links to additional presentations from previous years that will also be helpful. The whole CSSS program is helpful for anyone interested in chemical facility security issues.

One final point, cybersecurity continues to pop up regularly in any discussions about the CFATS program. ISCD is certainly taking great pains to mention the topic whenever they discuss site security plans or compliance inspections. They have taken particular care to ensure that they try to communicate that ‘cybersecurity’ is not only important for the control systems that touch on the handling and/or storage of covered COI, but also includes cybersecurity measures to protect security controls (surveillance, intrusion detection, and access control systems) as well as business systems that affect the handling (ordering, selling or transporting), or storage of covered COI.

A Closer Look at the Heritage Foundation Report – Four Principles

This is the second blog in a series taking a critical look at the recent Heritage Foundation report on the problems with the CFATS program. While the report authored by Jessica Zuckerman is not up to the usual editorial standards of the Heritage Foundation it does raise some interesting issues. The earlier blog post can be found here:

A Closer Look at the Heritage Foundation Report – CFATS Description

In this post I will be looking at the discussion in the Report under the heading of ‘Right in Principle, Wrong in Practice’. This section looks at the program from the perspective of how well the CFATS implementation has followed the four principles outlined by Under Secretary Beers in his March 30^th, 2011 testimony before the House Homeland Security Committee (Oops, it was before the House Energy and Commerce Committee on March 31^st, 2011 and the link provided in the report is bad, DHS web site change not Ms. Zuckerman’s fault there, but the rest is just poor scholarship).

Cross-Collaboration

Zuckerman properly points out that the individual facilities, the Federal government as well as State and local governments all have interests in securing high-risk chemical facilities. She then takes the CFATS program to task for centralizing the responsibility for security at the Federal level. She notes that:

“The government must determine facilities’ risk lev­els, set performance standards, and assess security plans and compliance.”

Congress provided in §550 that DHS was supposed to develop a security program targeted at just those chemical facilities that were determined to be at the high risk for terrorist attack. Furthermore, the program should be risk-based with the highest risk plants getting the earliest attention. All of these require DHS to determine facility risk levels.

The performance standards were published by DHS as one would expect since they would be judging if facilities met these performance standards in the implementation of their security plans. DHS developed the standards in conjunction with industry input and published a draft of the Risk-Based Performance Standards. Extensive industry comments were received on that draft (see my blog posts from 11-28-08, 12-05-08, 12-05-08, 01-09-09 and 01-13-09) and were taken into account when the final version was published.

Furthermore, DHS worked hand-in-hand with industry in developing, fielding and modifying the Top Screen and Security Vulnerability Assessment Tools. For both of these portions of the CFATS process the first ten or so facilities to complete submissions had DHS personnel on site in the information development and submission process to work out the inevitable bugs in the system. The lessons learned in those shared submission efforts were put into modifying the tools and documentation before those systems went live for the remainder of the CFATS community. That this was not done in the SSP submission process probably goes a long way to explain the problems in that system.

Ms. Zuckerman closes this section by claiming that:

“Enhancing chemical security does not mean that the private sector should yield its responsibil­ity to the federal government.” (pg 5)

Nowhere in her arguments does she show where the private sector has been required to yield its responsibility for the security of their facilities. The CFATS program does not specify how a security program should be put together, it simply provides standards by which the government will judge the success of that program. That those standards are vague at best is at least partially the responsibility of private industry. They were the ones that demanded performance based standards and complained about anything coming close to specifics in the draft version of the RBPS Guidance Document.

Risk-Based Tiering

Zuckerman takes DHS to task for not sharing the basis for the Department’s risk tiering process, a complaint that has been made a number of times over the years since the first NPRM was published for the CFATS regulations. Actually this complaint has been combined with the lack of openness about the process for establishing the ‘high-risk’ status of facilities in the first place.

The report properly notes that the details of the risk-ranking methodology is not shared with owners. This does not allow an owner to do more than to make a reasonable guess as to what actions the facility can take to have their Tier ranking lowered or even to be removed from the CFATS list all together. There is a process in place to submit information to have either the Tier ranking or CFATS listing reconsidered, but it is an iterative process at best.

While I agree with Ms. Zuckerman’s assertion in this case, she does her report ill service by not addressing, even in passing, the reasoning that DHS has used to avoid publicizing the details of their methodology. This lack of addressing opposing arguments is another of the reasons that this Heritage Foundation report is probably more useful as a political document than a real study of the issues involved.

Any discussion of the sharing of information about the security tiering or assessment process must take into account the official DHS response to such questions in the regulatory comment process. DHS outlines their position quite clearly in the preamble to the Interim Final Rule published in the Federal Register (72 FR 17700 – 17701).

Zuckerman also addresses the failure of DHS to share tiering information with State and local authorities; stating that:

“In addition, first responders and community leaders have also expressed concern about the lack of transparency of facility tiering and risk assessments, citing the fact that the lack of information sharing may impede emergency response and community preparedness.” (pg 5)

While one might suppose that State and local officials might want some input on the evaluation process of facilities within their jurisdiction, the claim of lack of transparency of the facility tiering and risk assessment process fails to address the efforts made to share that information with local authorities. DHS has made it clear that facilities have an inherent responsibility for coordinating with local emergency response officials and provides the State Homeland Security Directors with access to an online tool in CSAT to check on the CFATS status of chemical facilities within the State.

Finally, Ms. Zuckerman takes DHS to task for the problem it discovered last year in its risk model. While there should be some discussion on the internal delays in responding to the discovery of the model discrepancy, it really is disingenuous to complain about the problem with the model. Any researcher or academic knows that a model is only an approximation of reality and adjustments have to frequently be made to models to ensure their accurate reflection of reality. ISCD should be commended on monitoring their system closely enough to detect and correct the problem.

On an editorial note there are many claims of comments by unnamed industry or local government officials within this section. The footnotes to those claims almost uniformly point to the book “Chemical Facility Security” by Shea, but not a single page citation is provided. This is just another continuing example of the poor scholarship exhibited throughout this work.

Performance Standards

Zuckerman’s section on performance standards, or more appropriately the Risk-Based Performance Standards (RBPS) actually addresses the core issue of the current ISCD problems. She acknowledges that the theory behind the RBPS is good but notes that in practice “chemi­cal facilities have largely been left uncertain over what is expected of them in meeting the DHS’s stan­dards” (pg 6). Unfortunately, industry is largely to blame for these problems. They insisted on risk-based performance standards instead of concrete security measures and even convinced their politicians in Congress to prohibit DHS from specifying any security measure as being necessary for SSP approval.

As I noted earlier, when DHS published the draft of the RBPS Guidance document in October 2008, the industry comments came fast and furious. While many of the comments were constructive the vast majority were complaining that this or that was too specific and wouldn’t or shouldn’t apply to their industry or company. Once again DHS gave in to the political pressure (which is never mentioned in Ms. Zuckerman’s report), and produced a very vague RBPS Guidance document.

Ms. Zuckerman blames the problem, in part, on the Chemical Facility Security Inspectors (CFSI’s; oh, she never does use their proper title; a small thing to be sure); noting that:

“Similarly, issues in training and hiring capable and experienced inspectors has resulted in confusing and conflicting feedback from ISCD inspectors in the course of pre-authorization visits and authorization inspections.”

I’ll address the CFSI specific issues in a later post, but this complaint (not unique to Zuckerman) misses the important point. In the pre-authorization and Authorization inspections, the inspectors are just the eyes and ears of the ISCD staff. It is that staff (and frequently contractors) that never sees the facility that makes the decision on whether or not an SSP is approved or not. Thus, the person the plant talks to is not the person making the decisions.

DHS has tried to clarify this on a number of occasions, but I seriously don’t think that it has really gotten through to the folks in the inspected facilities. Thus this reported confusion in the field.  Oh by the way, Ms. Zuckerman provides no source for her comments about ‘confusing and conflicting feedback from ISCD inspectors’.

Leveraging Existing Advancements

This section of the report deals with the usage of ‘Alternative Security Plans’ or ASPs. Ms. Zuckerman falls into the same language trap that most people do when the discuss ASPs. When most of the chemical industry talks about ASPs they mean security programs like the American Chemistry Council’s Responsible Care Security program. This is a set of standards along with a third party verification of compliance for security related issues. When industry talks about ‘accepting’ such a plan it appears that they mean the facility should be given credit for that plan when they have been certified by the third party and DHS should accept that as an approved SSP.

DHS, on the other hand misnamed their SSP; it is not a site security plan. What the SSP is is a series of questions about the security set up at a particular facility to determine if that security program meets the requirements of the Risk-Based Performance Standards. DHS doesn’t care if the security measures are part of another certified site security plan; great, just so long as your answers to the questions show the facility meets the RBPS.

The problem is that ISCD does not have the time nor the manpower to read the documents associated with a real security plan; a 100+ page document with annexes describing emergency response, personnel surety, key control, etc. Adding a variety of formats from different security programs will only add to that problem.

Ms. Zuckerman manifests her misunderstanding of the problem by stating that:

“This lack of motivation on the part of the DHS to seriously consider ASPs inhibits the ability of compa­nies to continue to employ security measures in which they have already invested time and effort, thereby discouraging the innovation and creative thinking that have been critical to the security of the private sector in the past. As such, it limits the field of security options to those rigidly established by the federal government.” (pg 6)

Nothing that DHS is doing is limiting the ability of facilities to continue to use existing security measures, either to completely or partially fulfill their compliance with the 18 risk-based performance standards set forth in the CFATS regulations. And DHS is specifically prohibited from establishing rigid security options.

What industry really wants is for the currently established voluntary security programs to be accepted without review by DHS. In essence what they want is to have these third-party certification agencies to perform the inherently governmental function of examining and approving the security plan for CFATS covered facilities. Unfortunately, DHS has been given the responsibility for performing this function and does not have authority to transfer that responsibility to a private sector entity (okay, we’ll ignore for the moment that they are using contractors for the information processing necessary to make that decision; oh, that isn’t in the Heritage Foundation report).

In the closing paragraph in this section of the report Ms. Zuckerman brings up an interesting point that I must admit I haven’t seen mentioned in reference to the CFATS program. She mentions that “the department should encourage companies to apply for certification under the Support Anti-terrorism by Fostering Effective Technologies (SAFETY) Act of 2002”. Actually I have heard of the SAFETY Act program and I seem to recall that it is run by DHS S&T, not NPPD.

Still if NPPD could identify areas where new technology would benefit facilities covered under the CFATS program, it would certainly be helpful if a SAFETY Act program could be put together to fulfill that need. Okay, I’ll remake a suggestion here; chemical facility response forces need a weapon that can be used to stop violent attackers without posing a safety hazard when used within the high-risk environment of a chemical facility. Sorry that’s a pet peeve of mine and doesn’t really have anything to do with the review of this report. It won’t happen again.

Other Critical Concerns

This section deals with the issues raised in the so called Anderson memo that was made public last December. Ms. Zuckerman has had no more access to that memo than have any of the rest of us that have commented on the problems at ISCD. So I’ll give her a pass on all of the errors in this section as they are the same ones that just about everyone has made. She has no background working with this program so she can only repeat the same unfounded charges. See my blog post from last December on my reporting on the ISCD issues.

SSP Submission – RBPS #6 Theft and Diversion

This is another in a series of blog posting on the recently released Site Security Plan Instructions Manual and Questions Manual. The other blogs in this series are: Preparing for SSP Submission SSP Submission – Facility Data SSP Submission – Facility Security Measures SSP Submission – RBPS #1 Restrict Area Perimeter SSP Submission – RBPS #2 Secure Site Assets SSP Submission – RBPS #3 Screen and Monitor SSP Submission – RBPS #4 Deter Detect and Delay SSP Submission – RBPS #5 Shipping Receiving and Storage This posting looks at RBPS #6, Theft and Diversion. This section of the SSP looks at equipment, processes and procedures that help to reduce the risk of theft or unauthorized diversion of ‘dangerous chemicals’ including Theft COI. The Guidance document provides the same definition for ‘dangerous chemicals’ in this RBPS as was used for ‘hazardous chemicals’ in RBPS #5. There is no reason given for the use of two different terms for the same chemicals. This section of the SSP provides similar questions for both facility wide security measures and asset specific security measures. As we noted in the other sections of the SSP with similar provisions, a security measure is not reported in the asset specific questions if the security measure applies to (and was reported as) facility wide security, unless there are separate systems for the specific asset or there are substantial differences in operations of the measure at the specific asset. More Duplicate Questions This section has an even larger number of previously asked questions than we have seen in the earlier RBPS sections. Part of this may just be because there are more questions to draw from. Once again, there are no instructions in either the Questions manual or the Instructions manual about how the system deals with repeat questions. I suspect that in many cases the answers will pre-populate forward. There are two odd duplicate questions that have been significantly reworded from their earlier incarnations. I guess that means that they aren’t truly duplicates. I certainly have no idea why these two questions were picked for rewriting and reissuing. Both questions require ‘Yes’/‘No’ check-offs. The questions are:

"Does the facility have controls and procedures that restrict access to storage of potentially dangerous chemicals (including Theft COI), allowing access only to authorized individuals? "Are transportation access portals controlled and is access limited to authorized individuals?"

Unknown Carrier or Driver Questions There is a duplicate question that leads off a section of questions about procedures for how the facility will deal with an unknown carrier or driver showing up to deliver or pick-up a load. Each of the questions requires a ‘Yes’/‘No’ response. At first glance these seem to be standard questions, but there are two questions that are very similar in the way they are worded. They deal with procedures that the facility has for where truck/driver will be held while they are waiting until they are “properly vetted and approved”. One question uses the term ‘staging’ and the other uses ‘sequestering’. While there are no explanations for the differences I would assume that ‘staging’ means a holding location outside of the security perimeter while staging means an area within the security perimeter. The final question in this section is oddly worded which makes it difficult to determine how to answer the question. It reads:

Procedure for… “Notifying and contacting local law enforcement depending on the identity of the driver and identity of the load.”

Presumably DHS is asking about a procedure for dealing with a driver/load that cannot be identified or vetted. This would mean that there is a serious suspicion that the driver is up to no good. Unless the facility security team has arrest authority (which would be unusual unless they are off-duty law enforcement personnel) the local law enforcement would have to be contacted to affect an arrest. Training Questions This is the first time that we have seen questions related to training in the SSP. It seems more than a little unusual since there is a complete RBPS (RPBS #11) dedicated to this subject. Additionally there appears to be a minor misprint in the Questions manual. The manual shows a list of training frequency questions followed by a typical question that would lead such a list of question. That question is:

“Does the facility require individuals granted unescorted accesses to the facility to attend security awareness training at the facility?”

Usually, such a qualifying question, if answered ‘No’ would remove the frequency questions from the SSP tool for that facility. Finding this question at the end of the section kind of defeats that purpose. These security awareness training questions ask how often the described training is conducted with responses of: monthly, quarterly, semi-annually, annually, biennially, triennially, never. All but the last question in the group asks about ‘recognizing and detecting’ a variety of threats, ranging from ‘explosive materials’ to ‘characteristics and behavioral patterns of persons who are likely to threaten security’. The last question in the section is the ‘odd man out’. Instead of ‘recognizing and detecting’ it asks about “general techniques used to circumvent security measures?” While it is slightly different from the other questions in the group it does provide some recognition of the fact that potential adversaries will be attempting to subvert or by-pass facility security procedures. Background Investigation Questions There is another set of questions that seems to be slightly out of place in the RBPS. They deal with background investigation; an area that will certainly be dealt with in more detail in RBPS #12, Personnel Surety. This final section in RBPS #6 has three questions requiring a ‘Yes’/‘No’ response. Adequacy of Procedures As noted about there are a number of questions in this RBPS section that ask if the facility has a procedure to deal with ‘X’. The answers to such question are invariably ‘Yes’/‘No’, but anyone that has ever worked with regulatory agencies knows that there may be along way between having a procedure and having an ‘acceptable’ procedure. At this point DHS in the CFATS process DHS is not asking to see a copy of the procedure mentioned in the question; it is simply asking if the facility has a procedure. When the first inspector shows up after the SSP is approved to verify that the facility is actually implementing the approved SSP, the inspector will want to see copies of each of the procedures asked about in the SSP questions. Whether the facility has separate procedures for each of the security areas identified or one massive procedure is probably of little consequence. DHS is not going to have the manpower or time available to review each of the procedures in detail. With the wide variety of types and sizes of facilities covered by the CFATS regulations each of these procedures will be unique and it would be way too time consuming to do an in depth review either at the facility or back at the ‘office’. What I would not be surprised to see is DHS developing at some time in the future would be ‘procedure’ tools under CFATS to help them do a more detailed evaluation of procedures. They would be the same type answer the questions and fill in the blank type tools that have become so familiar to CSAT users.

SSP Submission – RBPS #5 Shipping Receiving and Storage

This is another in a series of blog posting on the recently released Site Security Plan Instructions Manual and Questions Manual. The other blogs in this series are: Preparing for SSP Submission SSP Submission – Facility Data SSP Submission – Facility Security Measures SSP Submission – RBPS #1 Restrict Area Perimeter SSP Submission – RBPS #2 Secure Site Assets SSP Submission – RBPS #3 Screen and Monitor SSP Submission – RBPS #4 Deter Detect and Delay This section of the SSP looks at security measures, processes and procedures that specifically control shipping, receiving and storage to help facilities to “minimize the risk of theft or diversion of any of its hazardous materials” and “helps to prevent tampering or sabotage” (pg 59 RBPS Guidance document). This section applies to both facility wide security measures and measures that apply only to specific assets. After the questions about whether the facility has facility wide and asset specific security measures for RBPS #5 there are two additional generic questions that apply to facility wide measures. Each question has a potential ‘Yes’, ‘No’ and ‘Other’ responses. The ‘Other’ response makes no sense as a response to these questions. The two questions are:

“Does the facility have a ‘Know Your Customer’ program? “Does the facility have a Product Stewardship program?”

Documentation Questions The next series of questions deals with the documentation of sales and purchases of hazardous materials. These questions specifically ask about all hazardous materials (per 49 U.S.C. §§ 5101, et seq.) with the parenthetical inclusion of the phrase ‘including COI’. This ties in with the discussion in RBPS Guidance Manual that explains that DHS considers that RBPS #5 applies to all hazardous materials not just the COI listed in the notification letter. DHS does not make answering these questions very easy. When asking for a ‘quantity’ they provide three possible responses in check-off boxes. Those responses are: “All”, “Most” and “None”. The explanations for these terms are not provided, so we should be able to take them at face value. Unfortunately this leaves a potential response gap between ‘most’ (‘All’> ‘most’ > ‘half’) and ‘none’; there really should be a ‘some’ response available if DHS is not going to provide for a numerical response. I would guess that DHS wants anything less than ‘most’ to be answered ‘none’. One of the documentation questions does not refer to ‘hazardous chemicals’ or ‘COI’. It asks about shipments of ‘feed materials’ or ‘products’. The distinction is fairly clear in the wording so this must refer to all incoming raw materials (not just chemicals) and all outgoing products. In a chemical manufacturing environment this would be important because the contamination of any of the raw materials with the ‘proper’ contaminant could result in a catastrophic incident. There is an ‘odd’ pair of questions at the end of this first section. This question addresses the use of ‘numbered photo identification badges’. This is another one of those questions that has been asked earlier in the SSP; in this case in RPBS #3. Transportation Security Questions There are a number of areas within this RBPS that address transportation security. The first such area has a number of questions about the carriers that are used by the facility for outbound shipments. An interesting thing about these questions is that they don’t mention ‘hazardous materials’ or ‘COI’ or ‘covered materials’; this implies that the questions apply to all shipments made from the facility. The final series of Yes/No questions regarding transportation security deal with a variety of policies and procedures to provide transportation security for hazardous materials. They include such things as performance checklists, team drivers for long trips, procedures for vetting drivers, and redundant communications protocols. Security Measure Questions There are a couple of separate areas within this RBPS section that deal with security measures employed. The first of these areas deals with man-portable containers of ‘hazardous materials’. Nothing in the Questions manual or the RBPS Guidance document provides a definition of ‘man-portable containers’. Certainly 5-gal containers would fit that description; 30-gal containers can be man-handled relatively easily; and with a hand-truck even 55-gal drums can be moved by a single person easily. The questions about man-portable containers start with a qualifying question asking about ‘what number of hazardous materials in man-portable containers’ are provided with additional security measures. The wording of the question is odd (are we noticing a trend?); it doesn’t ask about the number of containers, but about the number of hazardous materials (again ‘including COI’). Again the answer is not a number, but the same ‘All’, ‘Most’, and ‘None’ that we have encountered in this section before. If the answer ‘None’ is selected, the Prepare will see none of the other questions in this area. There is a series of questions relating to the security techniques used to monitor hazardous materials on site. These questions briefly address such techniques as video monitoring, intrusion detections, physical security techniques. The potential answers to these questions are ‘Yes’, ‘Partial’, and ‘No’. No provisions are made for explaining ‘Partial’ responses. The final series of questions dealing with security measures ask about tamper resistance devices. These Yes/No response questions deal with the use of numbered seals on container closures, tamper resistant locks, and other techniques that would provide evidence of unauthorized access to hazardous materials. Inventory Control Questions There are a number of inventory control questions. One series of questions addresses procedures that the facility has put into place to implement a ‘know your customer’ program. Another series deals with the storage area used for hazardous chemicals and the processes used to monitor those storage areas. All of the questions in these areas are answered by selecting ‘Yes’ or ‘No’. There are a couple of ‘odd’ questions in these inventory control questions. First the facility Preparer is asked if the facility “has a written policy limiting the on-site inventory of specifically identified hazardous materials (including COI) below threshold quantities”. This question might make some sense if there was a follow-up question to ask which hazardous materials are ‘specifically identified’. Another question asks if the inventory control system provides links to the Material Safety Data Sheet (MSDS). While this is briefly mentioned in the RBPS Guidance document (pg 61), there is no explanation how such a linkage would contribute to the security of the hazardous material. An MSDS provides information about chemical safety, not chemical security.

SSP Submission – RBPS #4 Deter Detect and Delay

This is another in a series of blog posting on the recently released Site Security Plan Instructions Manual and Questions Manual. The other blogs in this series are: Preparing for SSP Submission SSP Submission – Facility Data SSP Submission – Facility Security Measures SSP Submission – RBPS #1 Restrict Area Perimeter SSP Submission – RBPS #2 Secure Site Assets SSP Submission – RBPS #3 Screen and Monitor This section of the SSP looks at security measures, processes and procedures that specifically serve to deter, detect and delay potential terrorist attacks on the facility. This section only applies to facility wide security measures. It does not include provisions for answering questions about securing individual critical site assets. Previously Provided Information Many of the questions will look like they have already been answered in previous sections of the submission. It is not clear from the manuals provided by DHS if the previous responses will cause the information to be ‘pre-populated’ into these new questions. If the information does not get automatically carried forward into this section, facility Submitters are going to have to carefully review duplicative questions to make sure that consistent answers are provided. It is interesting that the questions on anti-vehicle barriers on the facility perimeter in this section were not found in support of the RBPS #1 section, but were seen earlier in the RBPS #2 section dealing with security measures for site assets. Similarly, the questions about security lighting were found in RBPS #2 but not RBPS #1. Neither sets of answers will ‘carry forward’ to this RBPS since they were directed at asset security not perimeter security. Answers from RBPS #2 questions (or any other question about asset specific security measures) should not be ‘transferred’ to questions for this RBPS. Anti-Vehicle Measures Preparers can find definitions and descriptions of the vehicle barriers in Appendix C of the Guidance document. The ‘K rating’ system is also briefly explained there. K rating data should be available from the barrier installer, though facilities should probably check with manufacturers to ensure that the installer is trained and certified in the proper techniques for installing the barriers. Many manufacturers will be able to recommend independent inspectors that will verify the installation was done in a professional manner. Proper installation is critical for insuring that the barriers meet their ‘rated’ K values. CCTV Measures Most of the CCTV questions found in this section were found in both RBPS #1 and #2. The answers from the RBPS #1 questions should be the same as the answers for these questions. This is where one might expect that a well designed system would pre-populate the answers with those provided in an earlier section. There should be no intention on the part of DHS to ‘catch’ facilities in inconsistencies. There are a couple of new questions in this RBPS section that probably should have been included in the list of questions for both RBPS #1 and #2. Two completely new questions (requiring a yes/no response) are (pg 139):

Is the surveillance system integrated with the access control system? Is the surveillance system integrated with the intrusion detection system?

These are interesting and potentially important questions. I am more than a little surprised that there are no follow-up questions regarding the details of the integration. The other ‘new’ question is more of a follow-up question to one asked in the RBPS #1 section. The earlier question (pg 74) asked about the monitoring frequency. This question asks about monitoring responsibility. The provided answers (including the obligatory ‘other’) are

System monitoring and control by dedicated control room operator. System monitoring an ancillary responsibility of control room operator. System monitoring and control by dedicated security force member. System monitoring an ancillary responsibility of security force member.

Since these questions are going to be used by DHS to evaluate the effectiveness of CCTV system (if present, of course) in detecting an attack in progress, facilities should be careful to use the ‘other’ response on this question to address any aids that the facility might use to help those monitoring detect a penetration. Automated surveillance systems should certainly be listed here. Security Forces This RBPS Section of the SSP includes a mix of new and repeated questions about the security forces. The question about security patrols is a duplicate from RBPS #1 (pg 76) and RBPS #2 (pg 104). As mentioned previously the answers from RBPS #1 should be duplicated here while straight copying of RBPS #2 may not be appropriate. The new questions here have to deal with the details of where the security forces are housed; what the Questions Manual calls ‘security structures’. First a question is asked about ‘stationary posts’. One has to assume that this question applies to stationary posts for security personnel from the listing of posts provided, but an unmanned personnel entrance that uses some sort of access control system could qualify for a ‘main personnel entrance’. I question the inclusion of ‘special posts’ along with the standard entry for ‘other’ since there is no requirement to explain what a constitutes a ‘special post’ while a response of ‘other’ requires that the facility provides a description of that type of post. There are three questions specifically about ‘security structures’; presumably this means buildings used to house one of the previously identified ‘stationary posts’. It seems redundant to ask if a facility has ‘security structures’ after asking about ‘security posts’. The next question deals with physical structure and protections associated with these security structures. This question only makes sense if it were asked for each of the structures identified in the stationary posts question since the provided answers may only pertain to one of the posts. The same could be said about the question dealing with ‘controls’ available within the security structure. While some facilities might have duplications of all security controls at all security posts, this is probably not a good idea for most facilities, particularly when it control of an isolated post might allow an attacker to control cameras and intrusion detection systems to avoid detection. There is one question that follows the security structures questions that deals with ‘process controls’ available at the facility. The question asks what ‘process controls’ are available at the facility and provides the following answers:

Both security and operational functions Security functions Operational functions Neither Security nor operational functionality Other

There is no explanation provide in the Questions Manual or Instructions Manual about what types of ‘process controls’ are being covered in this question; not even explaining if they are asking about cyber controls or manual control systems. This is especially confusing since there are no follow-up questions about locations of the controls for those systems or protections offered to such systems. Adversary Delay There are a series of questions about internal access controls and barriers used to delay potential adversaries from reaching critical assets within the facility. These questions seem to duplicate those found in RBPS #2. What should be clear here is that these are still facility wide measures and not measures dedicated to individual critical assets. Facilities that did not define critical assets in RBPS #2 should certainly include any internal controls in their response to this question. It is harder to determine what DHS is looking for if the facility did identify and report security measures for critical assets within the facility. If there are internal security measures that were not reported for individual assets, they should certainly be reported here. If security measures reported in RBPS #2 serve other critical areas within the facility they should probably be reported here. Finally, security measures unique to specific critical assets that have been reported for those assets in other areas of this SSP should probably not be reported here. Key Control There are a number of questions about the ‘key control’ procedures that the facility uses. Actually, this classic physical security process has been expanded beyond the old style key and combination control procedures. With the expansion of the use of credentials that allow access through automated access control systems, this key control section includes control of those credentials. All but one of the questions included in this section are straight forward that require little or no explanation. The one odd ‘question’ is the one that states:

Select "Yes" for all the key inventory/controls the facility has:

The available answers makes it clear the question is actually about who administers the key control process. While there is a ‘company’ and a ‘security department’ response there should probably have been a ‘facility’ response as well for those facilities that have a facility control procedure that does not managed by a security department. Security Forces The final section in this RBPS concerns the use of security forces. This is one area of the SSP that is going to be the most controversial because of the references to armed security personnel. From comments received during the draft RBPS Guidance review it is clear that many facilities are adamantly opposed to the use of armed security personnel. From the questions found in this section there is no real clue about how DHS will address this issue in their approval of the SSP. The section starts out with the typical ‘does the facility have’ question. A no answer in this case bypasses about half of the questions in the section. What is surprising is that questions about off-site armed response (presumably including police force response) are bypassed by a no response to this question. I hope that there is a disconnect between the Questions Manual and the actual SSP in this case. The question of off-site response is especially critical for facilities that have no on-site security forces. This is not the only organizational anomaly found in this section. In the section that all facilities are required to answer are two questions about ‘posted personnel’. The first question asks about the types of observation provided by posted personnel. Many facilities that answered no about the security force personnel are going to be confused about how they can answer this question. The next question provides some additional guidance by including non-security operations personnel in who may provide observation. Finally, the ‘tactical positions’ question should have been included in the portion of this section by-passed by a ‘No’ response to the initial security force question. A facility that does not have a security force is unlikely to have ‘hardened/defensive positions’ or ‘hardened fighting positions’.

SSP Submission – RBPS #3 Screen and Monitor

This is another in a series of blog posting on the recently released Site Security Plan Instructions Manual and Questions Manual. The other blogs in this series are: Preparing for SSP Submission SSP Submission – Facility Data SSP Submission – Facility Security Measures SSP Submission – RBPS #1 Restrict Area Perimeter SSP Submission – RBPS #2 Secure Site Assets This posting looks at the SSP sections that deal with Screening and Monitoring access to the facility. Questions for this RBPS may be found in both the Facility and Asset level sections of the SSP. If the facility has indicated that there are asset specific security provisions at the site, they will be asked if there are RBPS #3 measures for each of the identified assets. An affirmative answer will require the answering of a series of questions about those measures. Screening Questions The first real question asks about the general level of screening conducted at the facility. With answers ranging from all vehicles and personnel entering the facility to no screening, it seems to be fairly easy to select an appropriate response. One slight draw back; the answers assume that similar levels of screening are being done for both personnel and vehicles. If one is being required to undergo a significantly higher level of screening than the other, use the “Other” response and explain the situation in the provided block. Then there will be individual questions about the use of screening on inbound and outbound vehicles and personnel. An affirmative answer to any of these questions will bring up additional detailed questions about how that screening is performed. The first question in the series asks about the methods used to perform the screening with four possible answers:

Not allowed on site Cursory inspection Random inspection Not applicable

These answers do not appear to include 100% screening, but that is misleading. If the facility were to select ‘Random inspection’ the subsequent question asking about the frequency of inspection includes an answer of ‘100%’. Thus a facility that does 100% screening should select ‘Random inspection’ for their response to the initial question. There is a special area for ‘Inbound Trucks and Railcars’. It is not clear from the information available in the Questions Manual whether these questions are limited to tank trucks and tank cars or if they also include dry-box trucks and rail cars. Looking at the earlier questions about inbound inspections, there are questions about inbound ‘delivery vehicles’ which could include dry-box trucks picking up shipments. I would probably tend to answer questions about dry-box trucks under the ‘delivery vehicle’ question and any boxcar rail shipments under the ‘Inbound Trucks and Railcars’ question. I base this assumption on the fact that both types of railcars are required to be inspected before loading under TSA rail security regulations (49 CFR §1580.107(a)) if they are being loaded with Rail Security-Sensitive Material. For facilities with Theft/Diversion COI there will be a series of question about inspections of outbound vehicles. It may seem strange to see the question about POV (personally/privately owned vehicles) outbound from ‘Theft COI Areas’, but this would be an appropriate question if POVs were allowed to be parked near warehouse areas where Theft/Diversion COI are stored or loaded onto trucks. If one of the vehicle types addressed in this section is not allowed to be parked near an area where Theft/Diversion COI are stored or handled, the appropriate answer would be ‘Not Applicable’. Similar questions are asked for a variety of personnel and their hand carried items. Again, there are separate questions for inbound and outbound inspections. The answers to these questions are essentially the same as those answered for vehicle inspections. Identification Verification The other area included in this section deals with the procedures that the facility uses to verify the identity of personnel entering the facility. The first set of questions in this section concern ‘General Identification Methods’. Two of the questions in this section seem to be out of place since they ask about checks of vehicles and hand carried items to prevent “the introduction of weapons, explosives, drugs, etc. into the facility” (pgs 116-7, Questions Manual). These questions were dealt with in great detail in the earlier ‘Screening’ section of the SSP. Most of the questions are fairly straight forward items asking about procedures for checking identification and the uses of badges and passes. One question seems a little bit odd in the way it is presented. On page 120 of the Questions Manual there is a matrix that looks at the types of badges and passes that might be used on one axis and the people that might be required to use those badges and passes on the other axis. Where the columns cross you find the typical ‘Yes’ and ‘No’ buttons. This is a an economical way of presenting these questions. The odd thing is the last entry on the ‘personnel’ axis; ‘N/A’. The only thing that I can think of is that a check in the ‘Yes’ box in the ‘N/A’ column automatically marks ‘No’ for all of the personnel responses for that ID type. Access Control System While Access Control Systems (ACS) are technically part of the ‘identification verification process’ they do deserve their own unique discussion. I was disappointed that Access Control Systems were not addressed in the RBPS Guidance document, but they are addressed here in the SSP. Unfortunately, from the information presented in the Questions Manual, it is not possible to tell if there will questions on the use of ACS in the asset security portion of this RBPS section. There are a similar series of questions to those seen in the CCTV and Alarm Systems section of the RBPS #1 questions. They ask where the ACS will be ‘controlled’, ‘administered’ and ‘monitored’. The way the ‘monitored’ question is presented (a ‘Yes’/’No’ choice for each location) that multiple answers to that question are expected. I have the same complaints about the lack of explanation for the distinction between ‘controlled’ and ‘administered’ that I expressed in the SSP RBPS #1 posting. Vehicle Restrictions The vehicle restrictions section of the RBPS #3 portion of the SSP looks at how the facility controls the movement of vehicles into and within the facility. This section uses a term that is derived from the design of European Castles; the ‘sally port’. In castle construction this was an area between the inner and outer walls of the castle where a force could assemble to ‘sally forth’ and conduct their counter attack It was distinguished by two sets of gates; one in each wall. In modern security usage it describes a protected area where an inspection can be conducted between two closed gates. Under high-threat conditions only one gate will be opened at a time. This section also includes questions about parking areas on and off site. There are questions about the parking situation allowed for a variety of classes of vehicles, including employee, contractor and visitor POVs. The other class of vehicles listed is ‘Delivery’ vehicles, so I guess this covers both pick-up and deliveries (answering a question earlier in this posting). One class of vehicles that is missing from this section is ‘Service Vehicles’; those vehicles driven by a wide variety of vendors that make deliveries and provide technical services at high-risk chemical facilities. They may include uniform, food and office supply vendors that do not typically make their deliveries to normal loading docks. They may also include a wide variety of technicians providing service to a wide range of specialty equipment. This may be especially critical since these vehicles are frequently parked in or adjacent to operational areas of chemical facilities.

SSP Submission – RBPS #2 Secure Site Assets

This is another in a series of blog posting on the recently released Site Security Plan Instructions Manual and Questions Manual. The other blogs in this series are: Preparing for SSP Submission SSP Submission – Facility Data SSP Submission – Facility Security Measures SSP Submission – RBPS #1 Restrict Area Perimeter The Final Facility Notification Letter will include a list of facility assets with the associated COI that the facility must address in their site security plan (SSP). Section 5 of the Instructions Manual provides some over-all directions for the completion of this RBPS in the SSP. Unfortunately, there seems to be a serious disconnect between how the Instruction Manual and the Questions Manual address RBPS #2. The confusion caused by this disconnect is at least partially cleared up by referring to pages 52 thru 56 of the SSP Screenshots available on the CSAT SSP web page. Given the importance of the Screenshots document in understanding this RBPS, DHS should have listed the document in the Key Documents section of the CSAT web page. Incomplete Instructions The Instruction Manual notes that “DHS expects that RBPS 2 (Secure Site Assets) typically will be applicable to all facilities at either the facility-wide level or the asset level (or both). However, a facility must address RBPS 2 for each asset whether or not facility-wide security measures were previously entered” (pg 34, IM). This implies, and later discussion confirms, that the facility will be required to identify and describe each asset. The Questions Manual only mentions identification of assets obliquely, stating after the first “Are there any security measures…” question that the Preparer should if “answering at the Asset level, write the name of the asset for which you are providing answers.” There is no indication that each asset identified in the Notification Letter must be named and described as identified in page 52 of the Screenshots. Nor is there any mention of the long list of questions about each asset that are shown on page 53 of the Screenshots. Additionally, there is no indication in RBPS #2 the Questions Manual that the facility will have to identify those RBPS that have “asset-specific security measures that are different from the facility-wide security measures” (pg 39, IM). There are brief mentions in later RBPS sections that questions may apply to either facility or specific assets. If the facility is planning on using the Questions Manual as a workbook for data collection for their SSP submission I have some suggestions for modifying that manual. Copies should be made of pages 53 thru 55 of the Screenshots; one copy for each asset identified in the Notification letter and any other assets that the facility might wish to report upon. Then the same number of copies should be made of each of the pages in the Questions Manual for the following RBPS numbers 3, 5, 6 and 7. A copy set should be labeled and grouped together for each asset and tabbed for easy access. Barriers Most of the questions dealing with barriers are very similar to the questions in RBPS #1. The reason for that is relatively simple; barriers are very much the same whether they are located on the facility perimeter or on the perimeter of a restricted area within the facility. There are some new questions such as the one dealing with skylights in roofs because the assumption was made that buildings roofs would be inside the facility perimeter. Surprisingly there are a number of new questions that probably should have been included in RBPS #1. For example there are detailed questions about anti-vehicular barriers, which certainly are applicable to internal barriers, but would also apply to facility perimeter barriers. Other questions in this category include the questions on barrier upgrades. There are two questions about internal barriers that are surprising in their sophistication. There are two internal barrier questions that deal with movable barriers utilizing ‘dispensed liquids, foams’. I have only seen these obliquely mentioned in the literature and they are not addressed at all in the RBPS Guidance document. I would certainly be interested in hearing from anyone that sells or uses such barriers. Intrusion Detection Systems The questions about intrusion detection systems for this RBPS are nearly duplicates of the ones used in RBPS #1. There are some minor changes in wording, but the intent on the questions remains the same. Given the similarity in questions it is imperative that Preparers keep in mind that they should not duplicate the answers from RBPS #1 unless there are similar sensor systems in use around internal restricted areas. Security Lighting I hadn’t noticed that there were no questions about security lighting in RBPS #1 until I read the questions on security lighting in this RBPS. I have no idea why these questions were not included the RPBS #1 Questions; the subject is certainly addressed in nearly identical language in the two RBPS sections in the Guidance document. The questions here focus on where the security lighting is, the level of lighting provided at specific areas (site perimeter, gates, and other critical locations), and the percentage of gates and critical locations that are lighted.

SSP Submission – RBPS #1 Restrict Area Perimeter

This is another in a series of blog posting on the recently released Site Security Plan Instructions Manual. The other blogs in this series are: Preparing for SSP Submission SSP Submission – Facility Data SSP Submission – Facility Security Measures In this posting I’ll look at the first RBPS, Restrict Area Perimeter, following up yesterday’s blog on the discussion of this RBPS in the Guidance document. As we will see with each RBPS section in the SSP the first question (pg 58) [Note: all page references are to the Questions Manual] is: “Does the facility have any existing, planned, or proposed measures for RBPS 1?” A negative answer to that question completes this section of the SSP. DHS will evaluate the entire SSP submission to determine if the ‘No’ is an adequate method of addressing this RBPS. There certainly may be facilities that require no security measures to protect the area perimeter, but most facilities will not be able to justify such an answer. Mechanics Preparers that worked on the facility’s Top Screen or SVA submission will be familiar with how these sections of the SSP submission work. Most questions require checking off either ‘yes’ or ‘no’ responses. Frequently a yes answer will lead to more detailed questions on that security measure. Many questions will provide a list of possible responses each followed by the typical ‘yes/no’ buttons. The last answer in these lists is usually ‘Other’. A ‘yes’ response will bring up a fill in the blank box where a short description will be used to explain that ‘Other’ response. For example the first security question in RBPS #1 is: “Does the facility have a defined perimeter marked by company property, no trespassing signage, fencing, or other barriers?” There are three response buttons; ‘Yes’, ‘Partial’ and ‘No’. A ‘Yes’ or ‘Partial’ response will lead to a more detailed question about the characteristics of that perimeter. A ‘No’ answer will lead one to the next question, concerning Clear Zones. As I noted in an earlier blog, there are no ‘instructions’ for the RBPS sections of the SSP in the SSP Instructions Manual and only navigation instructions provided in the Questions Manual. This means that Preparers are going to have to make educated guesses about terms like ‘Partial’ in these questions. One would presume in this case that ‘Partial’ means that the perimeter marking does not cover the complete facility perimeter. If the preparation team has questions about terminology they should first refer to the appropriate sections in the RBPS Guidance document (including Appendix C). Most of the questions are labeled with the RBPS Metric number that they support, this should help facility personnel figure out what information is being requested. If there is still confusion contact the CFATS Helpline (866-323-2957; Monday-Friday 7:00 a.m. – 7:00 p.m., Eastern Time). Potential Problem Questions I am not going to discuss every question in the section. Most of them are straight forward with the minimum of ambiguity. Other, however, I would expect to be somewhat confusing to people that work in chemical facilities and have little background in physical security. A word of warning, I am not a trained DHS Inspector so my interpretations may not toe the DHS party line. When in doubt, call DHS. Clear zone: The ‘clear’ zone is the area adjacent to a barrier that is cleared to nearly ground level (think closely cropped lawn) that allows personnel or surveillance equipment a clear view of potential operations near the barrier. Ideally that clear zone would be on both sides of the barrier to allow for the best observation. The ideal width of the clear zone depends on many factors, particularly the terrain, but should be wide enough to allow for ready access to security and maintenance vehicles. ‘Clear zone policy’ refers to the procedures for investigation/response to the detection of movement or penetration of the clear zone. Standoff distance: ‘Standoff distance’ is the distance between a potential target and the closest allowed approach to that target. The RBPS Metric 1.3 only addresses standoff distance for VBIED (vehicle borne improvised explosive devices) suggesting “Sufficient vehicle standoff distance or alternative protective means are provided to ensure that a VBIED is extremely unlikely to be able to compromise a critical asset.” Adequate standoff distance depends on the amount of ‘overpressure’ the target is capable of withstanding and the assumed size of the VBIED. Standoff distance for direct fire weapons like rocket propelled grenades may also be considered. Barriers: There are a large number of questions about a wide variety of possible barriers that might be employed at a high-risk chemical facility. The term ‘partial’ is used for many of the answers and refers to the fact that the ‘barrier’ referred to in that question does not completely surround the facility. Access Points: The way this term is used in the single question may be misleading. It does not refer to gates or doors (those are addressed elsewhere), but instead deals with alternative/clandestine routes through the barrier system. ‘Ditches’ and ‘culverts’ are easy to understand in this context, but ‘public roadways’ is less clear. This almost certainly refers to public roads that traverse the facility. What I don’t understand is why there are no questions about security measures protecting these ‘access points’. Intrusion Detection: Again, there are a large number of detailed questions about IDS or ‘intrusion detection systems’. The ‘partial’ response to these questions means that the system being addressed only covers a portion of the facility perimeter. These questions do not concern IDS systems protecting individual assets (that would be covered in RBPS #2). While there are questions about the existence of ‘back-up power supplies’ nothing addresses the duration these back-up will work. I have no idea what ‘controlled’ and ‘administered’ mean for IDS; they are either on or off. CCTV: The closed-circuit television (video surveillance) coverage question has a ‘new’ ‘Not Applicable’ response. If a facility does not have the type of COI referenced in the question (Theft/diversion or sabotage) or loading/unloading areas the appropriate response is “Not Applicable). The ‘controlled’ and ‘administered’ questions make more sense here. ‘Controlled’ refers to the ability to move cameras or their focus to change the field of view. ‘Administered’ refers to the over-ride authority to take control of a camera. Security Personnel: The term security personnel is used with a very wide definition. This can be seen in the use of the terms ‘dedicated’ and ‘casual’ to describe types of ‘observation’. ‘Dedicated’ observation is provided by personnel with the primary job of security. ‘Casual’ observation is provided by all facility personnel that have received rudimentary security awareness training and have some means for reporting an observed security incident.

SSP Submission – Facility Security Measures

This is another in a series of blog posting on the recently released Site Security Plan Instructions Manual. The other blogs in this series are: Preparing for SSP Submission SSP Submission – Facility Data While the two earlier sections of the Site Security Plan, Facility Information and Facility Operations, were extensive (and provided essential information to DHS) we are now beginning to look at the meat of the Site Security Plan (SSP); the Facility Security Measures. This section deals with equipment and procedures that are applied to security on a facility wide basis. While specific pieces of equipment may exist at only a single location in the facility, they provide some measure of protection for the entire facility. Facilities may also have security measures designed to protect a specific asset, but those will be covered in next section of the SSP, Asset Security Measures. Risk-Based Performance Standards The Facility Security Measures section of the SSP is organized around the Risk-Based Performance Measures (RBPS) specified in 6 CFR §27.230. Each of the 18 RPBS will be addressed in turn, starting with the Restrict Area Perimeter and ending with Records. Each RBPS will have to be addressed for every facility, but how a facility addresses any RBPS will depend on the facility. As each RBPS section is opened in turn, the first question that the Preparer will encounter is “Does the facility have any existing, planned, or proposed measures for RBPS X?” If the answer to that question is ‘No’, then that RBPS has been addressed and the facility may move on to the next RBPS. DHS will determine if ‘No’ is an adequate way to address that RBPS by looking at the totality of the SSP. “Failure to provide information about security measures relevant to a given RBPS may result in the need to submit a revised SSP and, in some cases, ultimately could lead to disapproval of a facility’s SSP” (pg 33). DHS does expect that most facilities will have security measures for most of the eighteen RPBS, either in the Facility Security Measures or Asset Security Measures section of the SSP. There are two exceptions to this general rule, RBPS 6 - Theft and Diversion and RBPS 7 – Sabotage. Facilities that do not have Theft/Diversion or Sabotage COI identified on their Final Facility Notification letter will probably not have security measures for these two RBPS. Security Measures If the initial question in the RPBS section is answered affirmatively, the Preparer will be able to access a number of questions about potential security measures that could support that RBPS. The first question for each security measure asks if the facility is currently using that security measure. “Facilities are required to list and/or describe existing security measures as part of Section 4 of their CSAT SSP submissions (pg 35).” There are a number security measures identified in each RBPS with a series of questions for each measure. Most questions are answered by selecting “Yes/No” or selecting from multiple choice answers. Most multiple choice questions include an ‘Other’ selection with space provided for a description of the answer. What does appear to be missing in the lengthy list of questions about security measures is a space for identifying unique security measures that are already in place. While the listing provided is certainly extensive, I would be willing to bet that there will be a significant number of facilities that will have found or developed security measures that are not included in the list. In some cases there these measures will be able to be squeezed into the ‘Other’ selection of existing questions. If a facility runs into such a situation I would suggest that they use the “Planned Measures” block to describe these measures and carefully describe that the security measure is already in place. The “Planned Measures” is included for facilities to list security measures that are not currently ‘in-place’ but have progressed to the point that they will be in place at some predictable point in the future. The facility must be able to document their commitment to completing the installation of the ‘planned measures’; “DHS may subsequently ask the facility to produce documentation confirming the planned measure” (pg 35). DHS may consider planned measures in their evaluation of the SSP. If the planned measure is required for DHS approval of the SSP, the Letter of Approval marking final approval of the SSP will not be forthcoming until the ‘planned’ security measure is actually installed. Security Measures Not Considered While DHS is requiring all current security measures to be included in the SSP submission, they did realize that there might be existing security measures that will be phased out as newer security measures come on-line. The problem is that the submitted and approved SSP will form the basis for subsequent DHS inspections of the facility. This means that the described security measures will then be required security measures. DHS has provided an area at the end of each RBPS section where facilities can explain what security measures that it does not want to be included in the approved SSP. DHS does note that “if a facility chooses to eliminate an existing security measure that is relevant to one or more CFATS RBPS, it is possible that the facility’s SSP, as submitted, may not satisfy the applicable RBPS” (page 36). Interestingly, there is no mention in the Questions Manual of a question about security measures that the facility does not want to be considered. Neither does the Screen Shots file show a picture of a screen with such a question. This is an unfortunate oversight. Proposed Security Measures The final question in each RPBS section deals with the issue of proposed security measures. These are measures that the facility is considering installing at the facility. There has been no firm commitment to have these measures in place, so DHS will not consider them in approving the SSP. The reason that a facility might want to include these potential security measures in their submission is that it DHS might not approve their SSP. These proposed security measures might allow DHS to say that: “No the current SSP is not approved, but if this proposed security measure were put into place, DHS would probably be able to approve the plan.” Instructions Shortcomings In my opinion there is one major shortcoming with the Instructions Manual; there are no instructions for the individual RBPS questions. While the RBPS manual provides some guidance on the items to be considered, there is a dearth of detailed information. The questions, however, contain a great deal of detail. In future discussions of the individual RBPS sections, I will identify those items that I think should have included additional information in the Instructions Manual.