According to DHS, approximately 2,500 security plans have been approved as of April 15. DHS also states that at their current rate, the Department will have inspected and approved all submitted security plans within the next four months.
The CFATS program is moving forward with the implementation of the Personnel Surety Program, enhancements and updates to the Chemical Security Assessment Tool (CSAT), conducting Compliance Inspections (CI) (to read more about What to Expect During a CI, click here), and improving their methodology on risk-tiering for facilities.
CFATS Personnel Surety Program (PSP) Update
The Department released a Notice of Implementation on December 18, 2015 informing the public of their intention to implement the PSP. The program has been implemented in a phased manner, with Tier 1 and 2 facilities first then Tier 3 and 4 facilities later this year or in 2017. DHS will contact facilities on an individual basis to begin implementation of the Personnel Surety Program. Facilities should wait until they are contact by DHS before making any modifications to their security plans.
The first Compliance Inspection that included PSP implementation was conducted January 28, 2016 and the first updated security plan was approved on March 4, 2016.
To read more about the PSP, click here.
Effective Now – New Requirements for CFATS Facilities – RBPS 12, Personnel Surety
DHS announced and distributed new requirements for Personnel Surety compliance, a clarification and instructions on CFATS Risk Based Performance Standard 12 – Personnel Surety (basically background screening as it relates to federal terrorism databases).
This requirement applies to Tier One and Two High Risk facilities. Each Tier One and Two facility will receive individual letters from DHS giving more detailed requirements and setting individual facility deadlines for compliance, including implementation and amending Security Plans. Requirements for Tier Three and Four facilities will be announced at a later date.
The new requirement relates to RBPS 12(iv) – Measures designed to identify people with terrorist ties, and focuses on Affected Individuals, defined as “facility personnel and unescorted visitors with access to restricted areas or critical assets.” For many of our clients this means almost all employees and contractors working in their plants.
Facilities may choose one of four options to comply or may propose a combination or alternative plan for compliance.
The four options (explained in detail in the instruction) are summarized below:
- Option 1: DHS to Vet Affected Individuals
- Option 2: Affected Individuals Who Possess Certain Credentials
- Option 3: Electronic Verification of TWIC
- Option 4: Visual Verification of Credentials
The requirement (attached) is well written and reasonably easy to understand. However the devil is, as always, in the details, and there is a lot of detail. The overriding questions chemical companies will ask are how do we implement these screening requirements for existing employees, what action will we take if existing employees fail the federal checks, and how do we comply with limited people and resources? These questions and the options should to be discussed between Human Resources and Corporate Security.
We are preparing templates now to help facilitate this discussion and to provide suitable amendments for Site Security Plans.
Recently, we learned the following – the long-awaited new CFATS Top Screen Tool will be posted next month with regulatory activity to begin immediately.
DHS plans to publish the new Top Screen Tool requirements in the Federal Register in July. They expect the new tool to be available in September, pending OMB approval. ALL regulated and unregulated facilities will be impacted.
Note the following:
- Effective immediately DHS will suspend processing incoming Top Screens and SVAs.
- Contact DHS for an extension of any required submissions prior the release of the new Top Screen Tool.
- If you are involved in an acquisition or divestiture, reach out to the help desk firstname.lastname@example.org for assistance in how to proceed.
- During this suspension period of the current Top Screen Tool, facilities who need to “zero out” because they no longer meet the thresholds for Chemicals of Interest (COIs) should continue forward and may contact the DHS Help Desk at email@example.com assistance.
- Once the new tool is approved and released, DHS will notify regulated and unregulated facilities to update their information and will provide facilities with deadlines in a gradual rollout for both unregulated and regulated facilities.
- ** Once notified, companies will have 60 days to complete entering and submitting their information.
- Activities for gasoline only facilities remain on hold.
- And, during this interim period, inspections will continue.
Recently the Coast Guard listed the most common MTSA Facility Violations. This is a good list to ensure your program is ready for their next inspection. This is also a good list to pass on to the guard force:
Typical deficiencies areas:
- Access Control
- Restricted Areas
- Drills and Exercises
- Owner/Operator Requirements
- Audits and VSP/FSP Amendments
Most common deficiencies noted on inspection are:
Failure to secure access points:
- Gates left open or unattended.
- Facilities failing to provide an escort for persons without TWIC.
Failure to check identification:
- Individuals gaining access to facilities by piggy backing.
- Security personnel failing to properly screen vehicles and personnel entering the facility.
Damage to perimeter fencing:
- Holes found in perimeter fence.
- Vegetation growing over fence line, allowing unauthorized access to occur.
- Emergency egress gates not secure.
- Missing or improperly placed Secure Area and Restricted Area signage.
Misunderstanding or not knowing the security procedures as stated in the approved FSP:
- Facility personnel or contract guard services failing to conduct screening at the rate specified in their FSP.
- Facility personnel or contract guard services not properly trained on relevant provisions of the FSP.
Restricted Areas not properly marked.
- Areas where FSP is stored (offices, file cabinets, etc.) not containing proper signage designating the area as a Restricted Area.
- Facilities missing “Restricted Area” signage, for example:
- Facility perimeter
- Server rooms
- Control centers
Not storing required documentation within a Restricted Area:
- Sensitive Security Information (SSI) not kept in an area designated as a Restricted Area.
Drills and Exercises:
- Failing to perform security drills in 3 month intervals.
- Failing to perform an annual security exercise.
- Failing to label drill and exercise documentation as SSI and store properly.
- Failure to maintain drill and exercise records.
Improper notifications to USCG:
- Breaches of security not immediately reported to USCG or National Response Center.
- FSPs not being submitted for renewal prior to the expiration date.
- FSPs containing unapproved changes and amendments.
- Facility owners or operators failing to notify facility employees of what parts of the facility are secure areas and public access areas and ensuring such areas are clearly marked.
- Facilities failing to train personnel with security duties; including facility personnel, contract security guard service, and/or TWIC escort companies on relevant provisions of the FSP.
Proper FSP Updating:
- Owner/Operator failing to ensure annual audits of the FSP are conducted by persons with requisite knowledge as required by the regulation.
- Current list of FSOs not updated in the FSP.
- Owner/Operator section of FSP missing TWIC requirements.
- Failing to designate a FSO and failing to designate a 24hr contact number for FSO.
Proper Implementation of FSP:
- Owner/Operator failing to ensure that the facility operates in accordance with the approved FSP.
- Facilities failing to follow incident procedures outlined in approved FSP.
- Facilities failing to provide security personnel with the ability to monitor video surveillance systems per approved FSP.
Failure to conduct annual audits:
- Facilities failing to conduct an annual audit of the FSP.
- Failing to provide certifying documentation of annual audit.
- Failing to follow audit requirements in accordance with the regulation.
- Facilities failing to review the FSP and submit changes to the USCG for approval.
- Failing to update the FSA each time the FSP is submitted for revisions.
Remember, an FSP is not a “binder on the shelf”, but a security operating plan that must be fully implemented and followed in every day operations.