Best Practices: Meeting CFATS Performance Requirements A Town Hall Meeting Thursday, January 27, 2011 Education Government Relations Research & Technology Standards 635 Slaters Lane Suite 110 Alexandria, VA 22314 (866) 817-8888 www.siaonline.org
Security Industry Association (SIA) SIA is a non-profit organization representing the interests of more than 350 manufacturers, integrators and distributors of electronic physical security technologies. For more information visit www.siaonline.org Education Government Relations Research & Technology Standards 635 Slaters Lane Suite 110 Alexandria, VA 22314 (866) 817-8888 www.siaonline.org
Speakers John Romanowich (Moderator) President & CEO, SightLogix Chairman, SIA Chemical Security Working Group Todd Klessman Branch Chief (Acting), Policy and Programs Branch, Infrastructure Security Compliance Division, Office of Infrastructure Protection Gregory Eatmon Global Security Manager, Baker Hughes Clyde Miller Director, Corporate Security, BASF Corporation Education Government Relations Research & Technology Standards 635 Slaters Lane Suite 110 Alexandria, VA 22314 (866) 817-8888 www.siaonline.org
Chemical Facility Anti-Terrorism Standards Status Update Todd Klessman Branch Chief (Acting), Policy and Programs Branch Infrastructure Security Compliance Division
Current Regulated Community DHS has received over 38,000 initial Top-Screens. Of the Top-Screens received and analyzed, DHS issued preliminary tier notifications and SVA due dates to over 7,000 facilities. As of January 2011, CFATS covers 4,755 facilities (4,094 Final tiered facilities, 661 preliminarily tiered facilities) across all 50 states. The breakdown of tiered facilities (preliminary and final) is as follows: Final Tier Total Facilities With A Regulated Final Tier Awaiting Final Tier 1 218 3 2 535 38 3 1126 146 4 2215 474 Total 4094 661 5
CFATS Implementation Status Site Security Plans (SSP): To date, ISCD has received, and is in the process of reviewing nearly 4,000 SSPs and Alternative Security Programs (ASP) submitted in lieu of SSPs. Pre-Authorization Inspections (PAI): Chemical inspectors continue to conduct PAIs to assist facilities in preparing appropriate SSPs. As of January 2011, more than 150 PAIs have been completed. Authorization Inspections (AI): The first CFATS AI was conducted in 2010, and as of January 2011, four AIs have been completed. Administrative Orders: To date, DHS has issued 63 Administrative Orders to facilities that failed to submit a Site Security Plan within the prescribed deadline; all 63 facilities are now in compliance with CFATS. 6
Major Ongoing & Planned Activities Appendix A Review: Evaluating the current Chemicals of Interest list and associated rules (e.g., Screening Threshold Quantities; mixture rules) Chemical Security Assessment Tool (CSAT) Updates: Refining the suite of CSAT tools based on lessons learned, input received from users, etc. CFATS/Maritime Transportation Security Act (MTSA) Harmonization: Working closely with U.S. Coast Guard to better harmonize the CFATS and MTSA regulatory programs Agricultural Production Facilities: Finalizing analysis of completed agricultural facility surveys to determine best approach to treatment of agricultural production facilities under CFATS Personnel Surety Program: Preparing responses to comments received during the second Paperwork Reduction Act Notice published in the Federal Register 7
Help Desk Contact Information The CFATS Help Desk toll-free number is 1-866-323-2957. Hours of Operation are 7:00AM 7:00PM, Monday through Friday. The Help Desk is closed for Federal Holidays. The Help Desk email address is CSAT@DHS.gov. For CFATS Frequently Asked Questions (FAQs) and CVI training go to WWW.DHS.GOV/CHEMICALSECURITY. 8
ENTERPRISE SECURITY AND CRISIS MANAGEMENT ENTERPRISE SECURITY AND CRISIS MANAGEMENT PAI Lessons Learned January 2011 CONFIDENTIAL
PAI LESSONS LEARNED 3 man DHS inspection team / DHS requested the following company personnel be available during inspection: ofacility Manager ophysical Security Manager ofacility Security Officer oassistant Facility Security Officer osecurity Guard Force ocyber Security Manager oprocess Engineer First day consisted of introductions, a safety briefing, discussions about the process, an overview of facility operations, a tour of the facility, and a brief discussion of the shortcomings of the SSP. The next two days were spent reviewing the SSP deficiencies in each of the 18 RBPS categories. Inspectors brought a list of SSP inadequacies for the site that had been prepared by DHS reviewers. Inspectors focused heavily on RBPS s 1, 2, 3, 4, 5, 8, and 12. Inspectors focused on satisfying to the letter the metrics noted in the RBPS Guidance Manual per each tiering level. CONFIDENTIAL 1
PAI LESSONS LEARNED The inspectors were adamant that only EXISTING or PLANNED measures that meet RBPS guidance metrics would be given consideration. The facility must show a definitive path forward and proof that the planned steps are in process to being implemented and not just modeling (i.e. engineering designs, proposals, bids from vendors, contracts, etc.). The inspectors could not identify or prescribe what specific measures the facility needed to meet compliance, but did suggest options on how to achieve compliance. A layered approach to site security is definitively a better approach and strategy for compliance purposes. Following the inspection, the inspectors provided a quick debrief and noted that the SSP would be made available to the facility for editing. It was recommended that the facility use the text boxes provided in the SSP tool to apply expanded explanations and clarifications to all RBPS measures noted in the SSP. In other words, DHS wants the facilities to use the text box (4000 characters per text box) to fully explain any and all security measures, procedures, and policies so they can be fully understood and evaluated against the RBPS metrics. CONFIDENTIAL 2
PAI LESSONS LEARNED Inspectors then provided the following schedule: o Notice of Completion of PAI and opening of SSP for technical editing. o 45 days to complete technical editing of the SSP. o Once the SSP is edited and resubmitted, it will be reviewed and the plan reevaluated. o If the SSP review is satisfactory, a Letter of Authorization will be provided to the facility, which means that DHS has tentatively accepted the SSP. If the SSP review is unsatisfactory a Letter of Clarification will be issued by DHS. o After the Letter of Authorization, a final compliance inspection will be scheduled by DHS. o Following the final compliance inspection, if there are no issues identified, a Final Letter of Approval for the SSP will be issued by DHS. CONFIDENTIAL 2
Clyde D. Miller Director, Corporate Security
CFATS - Once Upon a Timeline 50,000+ facilities
Reality CFATS 2011 4750 +/- Regulated Facilities Top Screens Completed Preliminary Tiers Issued SVAs Completed Tiers 1 & 2 Final Tiering SSPs underway Site visits beginning Tiers 3 & 4 being tiered in waves
Challenges Standards vs. Prescribed Measures How much is enough? How much will it cost? Actual vs. Planned vs. Proposed Measures Assets in SVA vs. Assets in SSP Consider measures outside of traditional security measures The SSP is NOT a Site Security Plan If You Say You Do It, You Better Do It Congress Isn t Done
Town Hall CFATS Best Practices Site Security Plan (SSP) Submission Keys to Preparing SSP CFATS Investments/Authorization Question & Answer Period Concluding Remarks Education Government Relations Research & Technology Standards 635 Slaters Lane Suite 110 Alexandria, VA 22314 (866) 817-8888 www.siaonline.org