Monthly Archives: August 2016

CSAT 2.0 Update: Changes Coming in October

DHS has released an update to the upcoming launch of Chemical Security Assessment Tool 2.0 (CSAT 2.0). They state that in the coming months, DHS will be reaching out directly to facilities believed to maintain Chemicals of Interest (COI) at or above the threshold quantities. These facilities will be required to submit new Top Screens to DHS using the new CSAT 2.0 online tool.

What does this mean for you and your facility?

DHS suspended the requirement to submit Top Screens and Security Vulnerability Assessments (SVA) on July 20, 2016 to prepare for the launch of CSAT 2.0.

After the transition to CSAT 2.0 and the improved risk tiering methodology in October 2016, DHS will begin to individually notify “chemical facilities of interest” to resubmit a new Top Screen using CSAT 2.0. They state that chemical facilities of interest include facilities that were previously determined not to be high-risk. The letters will be issued through CSAT 2.0 to each facility’s designated CFATS Authorizer and Submitter in a phased manner over the course of several months.

DHS states that CSAT 2.0 will improve the integration between the CSAT SVA and Site Security Plan (SSP) surveys, streamlining the compliance process and reducing the burden associated with completing these surveys.

Next Steps

 DHS will replace the current CSAT surveys with the revised surveys this fall.

  • On October 1, 2016, DHS will reinstate the Top-Screen and SVA submission requirements.
  • DHS will individually notify facilities in a phased manner to resubmit their Top-Screens using the new tool.

Training on CSAT 2.0

DHS will be hosting several webinars and presentations at several cities around the country to demonstrate the new tool.

Webinars:

In-Person Demonstrations:

  • In September, DHS will post session dates, times, and locations

Final Rule – Transportation Worker Identification Credential (TWIC) Reader Requirements

Yesterday, the Department of Homeland Security and the U.S. Coast Guard published the Final Rule for TWIC Reader inspection requirements. This amendment to the Maritime Transportation Security Act requires owners and operators of certain regulated vessels and facilities to conduct electronic inspections of TWICs as an access control measure.

The finale rule is effective August 23, 2018, and facilities have up to two years to be in compliance.

This final rule only affects vessels with more than 20 crew members (only 1 regulated vessel is identified at this time) and about 525 facilities that are in “Risk Group A”.

Risk Group A includes:

Vessels that carry or tow a vessel carrying Certain Dangerous Cargoes (CDC) in bulk.

  • Vessels certified to carry more than 1,000 passengers.
  • Facilities that handle CDCs in bulk or receive vessels carrying CDC in bulk.
  • Facilities that receive vessels certified to carry more that 1,000 passengers also are in Risk Group A.
  • As of now, no Outer Continental Shelf (OCS) facility is considered Risk Group A.

This final rule clarifies that for Risk Group A facilities, electronic TWIC inspection is required each time a person is granted unescorted access to a secure area (a limited exception is permitted for Recurring Unescorted Access, or RUA). For Risk Group A vessels, electronic TWIC inspection is only required when boarding the vessel, even if only parts of the vessel are considered “secure areas”.

The regulation states that each person who has been issued or possesses a TWIC must have their TWIC verified through an electronic inspection. They must also submit their biometric and Personal Identification Number (PIN) when requested from the TSA, USCG, DHS, or Federal, State, or local law enforcement.

Facilities and vessels will need to update their Facility Security Plans to meet this ruling.

TSA List of Cancelled TWICs

At MARSEC Level 1, facilities and vessels will have to ensure that the TWIC verification is conducted using information from TSA that is no more than 7 days old. At MARSEC Levels 2 and 3, the information from TSA must be no more than 1-day old. If the MARSEC increases, the TSA information must be updated within 12 hours, no matter when the information was last updated.

We will continue to review the final rule and provide more detailed summaries in future posts.

The Security Guard Audit

A few weeks ago, USCG officers arrived at a regulated facility, and observed the main gate security officer not inspecting and validating TWIC cards, and not conducting vehicle inspections as required in the Facility Security Plan. For a moment, the USCG considered shutting down the facility. Recently the USCG also released a list on common MTSA Facility Violations.

We are often retained to conduct brief audits and training moments with entry guards. It works like this: one of us arrives at the entry point and observes security checking in and admitting people to the facility. Then we check in ourselves and spend a few moments with security management to relay our findings. Within moments, we return to the security post, explain that we just conducted an audit and spend a few moments renewing their training. These moments are powerful training tools that will not soon be forgotten. Ken Blanchard, the author of The One Minute Manager, said that supervisors should make every encounter with their staff a learning moment:

  • Catch them doing something wrong, quickly reprimand and then take a moment to retrain.
  • Catch them doing something right, quickly praise and let them know what they did so well.
  • Or, just stop by for a one minute reminder on a procedure or conduct that is important.

Penetration audits can give some indication of how well personnel are performing, but the real value comes from the training that results.

The Penetration Audit – A Powerful Training Tool

Picture a large manufacturing facility with a robust security infrastructure: access controlled gates and entry doors, security guards on post and roving, monitoring with CCTV cameras, and perimeter intrusion alarms. Here all employees have participated in security awareness briefings. Management decided to test their employee’s response to intrusion by conducting a Penetration Audit, and the results were disappointing. On the flip side however, the after action review with the employees was in itself a powerful training tool.

A consultant was hired who during the daytime climbed over the fence wearing street cloths and carrying a backpack and a clipboard. He wandered through various buildings and processing areas. As he walked he encountered more than a dozen employees. Many greeted him with a nod. Two employees stopped him and said that fire resistant attire (FRC) was required. The consultant said his FRC gear and hardhat were in the backpack and he would go change into them. One employee showed him the location of a change room for that purpose but did not stay with him.

No one asked what he was doing, who he was, and no one reported him to Security. The positive benefit came when management met with employees for an after-action review. One can bet that in the future strangers on site in this facility will be challenged and reported to security. One can also ask how different the outcome of the audit would have been if it were pre-announced.

Years ago, the security department at Apple hired a smart PI to test security. His mission was to get into the many facilities without screening by the lobby security guards, then leave out the same lobby obviously carrying a large box. On his first audit run nine of ten security officers failed to stop him. He was a glib talker wearing a suit and his demeanor intimidated most of the guards. Again, no one reported him to security management. As a Security Manager, I always preferred to pre-announce penetration audits and did so for the second run of the audit in a different set of buildings. This time, the auditor found the guard force tuned up and 90% of the guards did the job right, stopping the man, asking for ID, and escorting him out of the building.

The results of penetration audits can be surprising to management whether pass or fail. The value of these exercises as training moments that become imbedded in their long-term conduct is significant; either way – surprise audits or pre-announced penetration tests.

USCG Inspections and FSO Readiness

A few weeks ago, USCG officers arrived at a regulated facility, and observed the main gate security officer not inspecting and validating TWIC cards, and not conducting vehicle inspections as required in the Facility Security Plan. For a moment, the USCG considered shutting down the facility. Recently the USCG also released a list on common MTSA Facility Violations.

The Facility Security Officer (FSO) should expect the USCG to conduct at least two inspections per year. Typically, one inspection will be scheduled with the facility and the other will be an unannounced inspection. These unannounced inspections typically occur at night. The FSO must ensure that their facility, FSP, and records are prepared for the USCG inspections.

Prior to the inspection, the FSO should review the FSP and confirm that all information is up to date and correct. The FSO should also verify that all pertinent documents and records are in order and have the required Sensitive Security Information (SSI) labeling. The FSO will need to ensure that all drills, exercises, audits, security equipment tests, etc. have been properly conducted and recorded.

The FSO will also want to ensure that facility personnel, including security guards, have been properly trained according to the regulation and are prepared to answer questions if asked by USCG officers.

Most deficiencies are typically discovered during the required Annual Audit of the FSP. The MTSA regulation requires facilities to conduct an annual audit and that the person(s) conducting the audit are independent of any security measures being implemented at the facility.

Don Greenwood & Associates, Inc. has provided security assessments, plans and training for hundreds of Facility Security Officers and security-related personnel as mandated in the Maritime Transportation Security Act (MTSA). We also have a full set of compliance tools including training PowerPoints, Assessment Templates, and have produced employee training videos for several petrochemical companies.