DHS Issues Tiering Letters

Yesterday, the DHS Infrastructure Security Compliance Division began sending out tiering letters to facilities that recently submitted Top Screens using the new CSAT 2.0 tool.

You will receive an email for DHS stating that “A New CSAT Letter is Available for Your Facility Survey”. You will need to log in to your CSAT account and acknowledge receipt of the letter.

To read more about CSAT 2.0 Top Screens, click here and here.

TWIC Reader Clarification

Recently the Coast Guard shared a blog post to clarify the TWIC Reader Requirements Final Rule regarding CDC facilities.

The rule applies to facilities that are considered a Certain Dangerous Cargo (CDC) facility. These facilities are designated as Risk Group A facilities and will be expected to comply with the TWIC reader rule requirements effective August 23, 2018.

The blog post clarifies what a CDC facility is. According to PAC Decision 20-04 Certain Dangerous Cargo Facilities, in “order for a facility to be classified as a CDC facility, a vessel-to-facility interface must occur, or be capable of occurring, and involve the transfer of CDC’s in bulk”.

Blog can be read here and PAC 20-04 can be found here. To read more about the TWIC Reader Requirements Final Rule, click here.

TSA Critical Pipeline Update

Excerpts from Surface Division Director Sonya Proctor:
“TSA has completed corporate security reviews on all of the nation’s top 100 pipeline systems, which collectively transport 84 percent of the nation’s energy. Through the program, TSA evaluates operator implementation of the pipeline security guidelines.”

“To ensure we remain vigilant, TSA works closely with the pipeline industry, which consists of approximately 3,000 private companies who own and operate the Nation’s pipelines. Because they are usually unstaffed, securing pipeline facilities requires a collaborative approach across government and industry. TSA has established effective working relationships to ensure strong communication and sharing of intelligence, training resources, best practices, and security guidelines. Pipeline system owners and operators maintain direct responsibility for securing pipeline systems. TSA’s role is to support owners and operators by identifying threats, developing security programs to address those threats, and encouraging and assisting the implementation of those security programs.”

2017 Port Security Grant Program (PSGP) Update

Last year the 2016 PSGP Notice of Funding Opportunity (NOFO) was released mid-February and applications had to be submitted by late April. It looks like this year, we will have to wait until late April or early May before the NOFO is released.

DHS/FEMA has an approved budget of $93 million for the 2017 PSGP, but are currently operating under a Continuing Resolution. The 2017 PSGP documents have been prepared and some are posted in draft. However, the actual launch of the program until the federal budget is approved. Again, this is expected in April.

This delay should not keep applicants from making sure their registrations are up to date and making sure they have a plan in place. This gives applicants more time to prepare their Investment Justifications (IJs) and ensure that their project budgets are ready to go when the NOFO is released.

To read more about preparing for the 2017 PSGP, click here.

“She did everything right!” – The great benefit of security awareness, training, and common sense

On Tuesday, February 21, there was a report of an active shooter at Ben Taub Hospital in Houston.  The subsequent “Code White”, broadcast on the hospital PA system, prompted an immediate evacuation and Houston PD launched a full SWAT response.  It was great to hear how one articulate, smart employee reacted when panic spread among her co-workers.  She told a KHOU reporter:

  • I locked and barricaded my door
  • I turned off my light
  • I put my phone on silent
  • I turned off my computer
  • I pushed my chairs against the door
  • I texted other employees
  • If your phone is on silent he may not even know where you are and you can communicate safely with others
  • It is unfortunate and it is just a different time. The world is constantly changing and we just have to be ready.

She remained in this self-imposed lockdown until the Doctor for whom she worked told her it was time to, and safe, to evacuate.

Whether she learned from a formal training session, from TV, from a poster on the wall, I am not certain.  I know she responded well and I know that basic awareness and response training can save lives by giving people the confidence to react calmly, organize their thoughts, and do the right thing under pressure.

USCG Issues Policy Regarding Reporting Suspicious Activity and Breaches of Security

This is CG-5P Policy Letter 08_16.   It discusses requirements and guidelines as summarized below for MTSA regulated ports.  The regulatory standing is quoted as 33 CFR 46, 70103.  It is dated December 14 and was distributed on January 16.  This renewed focus includes reporting requirements for cyberattacks and Unmanned Aircraft Systems activity.

The stated purpose of the letter is to “Promulgate policy for use by Maritime Transportation Security Act (MTSA) regulated vessels and facilities outlining the criteria and process for suspicious activity (SA) and breach of security (BoS) reporting”.

It states, “An owner or operator of a vessel or facility that is required to maintain an approved security plan . . . (a) shall, without delay, report activities that may result in a Transportation Security Incident (TSI) to the National Response Center (NRC), including SA or a BoS. And, (b), the Facility Security Plan (FSP) shall . . . be consistent with the requirements of the National Transportation Security Plan and Area Maritime Transportation Security Plans.”

“The COTP will affirm consistency to help ensure alignment of SA and BoS communication procedures within FSPs throughout their area of responsibility.” 

Regarding cyber activity the letter states, The target and intent of malicious cyber activity can be difficult to discern. The fact that business and administrative systems may be connected to operational, industrial control and security systems further complicates this matter. The Coast Guard strongly encourages vessel and facility operators to minimize, monitor, and wherever possible, eliminate any such connections.

The letter goes on to describe U. S. Coast Guard requirements for reporting BoS and SA for both physical and network or computer-related events.  The U.S. Coast Guard regulations define a breach of security as “an incident that has not resulted in a TSI but in which security measures have been circumvented, eluded, or violated.” This definition includes the breach of telecommunications equipment, computer, and networked system security measures where those systems conduct or support functions described in vessel or facility security plans or where successful defeat or exploitation of the systems could result or contribute to a TSI.

BoS incidents may include, but are not limited to, any of the following:

  •  Unauthorized access to regulated areas;
  • Unauthorized circumvention of security measures;
  • Acts of piracy and/or armed robbery against ships;
  • Intrusion into telecommunications equipment, computer, and networked systems linked to security plan functions (e.g., access control, cargo control, monitoring), unauthorized root or administrator access to security and industrial control systems, successful phishing attempts or malicious insider activity that could allow outside entities access to internal IT systems that are linked to the MTS;
  • Instances of viruses, Trojan Horses, worms, zombies or other malicious software that have a widespread impact or adversely affect one or more on-site mission critical servers that are linked to security plan functions; and/or
  • Any denial of service attacks that Any denial of service attacks that adversely affect or degrade access to critical services that are linked to security plan functions.

 The letter contains lists of Suspicious Activities and Breaches of Security that should be reported and concludes with a Glossary of Terms.

Click here  for the complete document.

Policy Procedures and Standards Made Simple

As a public safety officer, I was once tasked with writing instructions for loading pre-connected hose lines on fire trucks.  While a straight forward task, a mistake or simple misunderstanding by a firefighter could have serious consequences, delaying rescue and/or getting water on the fire. Writing clear step by step procedures was a challenge and also great training, especially when the procedures would be tested on the fire academy training ground.

I have been engaged in policy and procedure development for security, safety, environmental, and chemical management functions since 1981.  I believe I have learned a few things:

Clarity and Enforceability – keep it simple and straight forward, not only to help employees understand the rules and guidelines, but to enable enforceability for violations of company policy, a key concern today of Human Resources.  How well will the policy stand up in court?

Consistency in Format and Template – Following a consistent template for all policy and procedures makes it easy for employees to find the information they need and enhances their understanding of requirements.

The Distinction between Policy, Procedure, Standard and Guideline.

Definitions based on NIST (National Institute of Standards and Technology) and SANS Institute standards include:

  • Policy – A policy is a system of principles to guide decisions and achieve rational outcomes. A policy is a statement of intent, and is implemented as a procedure or protocol.   Policy is generally drafted to foster enforceability.
  • Procedure – A set of business processes, activities and tasks that, when implemented, contribute to accomplishing a policy goal. Procedures are often step by step instructions and are drafted to be enforceable.
  • Standard – A document that provides requirements, specifications, or characteristics that can be used consistently to ensure that materials, products, processes and services are fit for their purpose. Often a minimum standard that must be followed.
  • Guideline – Recommended practice that allows some discretion or leeway in its interpretation, implementation, or use.

The Policy Catalogue – How does a company make it easy for employees to find the policy and procedures they need?  During a project last year, we conceived the idea of a “Policy Catalogue”, a well indexed online document that contained all IT policies and the subordinate procedures, standards, and guidelines for each policy.  The catalogue Table of Contents, in one quick glance, showed not only where to find what was needed, but how the whole policy system was organized.

Don Greenwood & Associates, Inc. has an extensive library of asset protection and security policies and procedures, as well as model security standards, manuals, and post orders.  We also have a well catalogued collection of IT governance and IT security policy, procedures and standards.  For procedure review and development ideas, contact us at don@greenwoodsecurity.com.

Get Ready Now for 2017 Port Security Grants

It is not too soon to start the registration processes.

The Administration has budgeted $93 million for port security grant awards in 2017.
It is not too soon to begin the application process. Typically, the schedule goes like this:

  • Mid-February the Grant Program is announced, Instructions are posted, and the application period begins. The 2016 application period began on February 17.
  • Late April – the application period closes. In 2016 the application deadline was April 25th.

However, before a facility can upload a grant application they must:

  • Obtain and/or verify the DUNS number for the specific facility and business unit involved. Your legal or tax department may be able to help with this.
  • Register in the government’s System for Award Management (SAM.gov).  FEMA states, “It may take 4 weeks or more after the submission of a SAM registration before the registration becomes active in SAM.gov, then an additional 24 hours for Grants.gov to recognize the information.”
  • Once the SAM’s registration is complete, register and set up an account in a second government web-portal, Grants.gov.  Receive an account log in and password.
  • Once the Grants.gov registration is complete and approved, use that account to set up a third registration in a third government web portal, NDGrants.gov (the site to specifically upload “non-disaster” grants.  All application documentation will be uploaded through NDGrants.gov.  This is also the portal wherein the FEMA officials will communicate with the applicant.

Is it worth doing? Absolutely YES!

Don Greenwood & Associates Inc. has an excellent track record in applying for and winning grants for our clients. In 2016, we developed and submitted several grant applications for a total of $3 million in awards.

Of special interest to DHS in 2016 were applications that included funds for cyber security protections, as well as the fundamentals – access control, gates, TWIC readers, etc.

Let’s get started. Before we can develop an application we need to discuss your facility, what is needed, and whether or not your needs meet the grant priorities. Successful grant writing is more an art than a science. Give us a call at 832-717-4404 or email don@greenwoodsecurity.com.

TSA Inspectors at MTSA Facilities? – Happening Now

The USCG has issued Marine Safety Information Bulletin (MSIB) 01-16 that specifies that TSA inspectors will be accompanying USCG inspection personnel when inspecting MTSA regulated facilities to verify TWIC compliance. Some of our clients have already experienced this.

The USCG is the lead agency for enforcement for MTSA regulated vessels and facilities, and TSA is the lead agency to pursue civil enforcement against individuals engaged in TWIC credential alteration and fraudulent use. The USCG implements its TWIC Enforcement Program at regulated vessels and facilities to ensure that TWIC programs are in compliance with approved Vessel and Facility Security Plans. The USCG verifies this onsite during inspections both visually and with the use of handheld portable TWIC readers.

TSA’s Office of Security Operations has initiated a field inspection program for their Transportation Security Inspectors-Surface (TSI-S) to conduct visual and electronic TWIC inspections at MTSA regulated facilities. It is anticipated, at least initially, that the TSI Inspectors will accompany Coast Guard personnel during Coast Guard led security inspections. However, the TSA has the authority to conduct inspections independently and should be provided relevant portions of the FSP in the areas of TWIC compliance and overall access control.

It is important to remember that ensuring that only authorized TWIC holders desiring unescorted access into Secure Areas of the vessels and facilities remains the responsibility of the VSO/FSO.

DHS Reinstates Top Screen Requirements

On October 1, 2016, DHS has reinstated the requirement to submit Top Screens using CSAT 2.0.

Starting today, October 4, 2016, DHS will begin notifying facilities that they have to submit a new Top Screen. However, facilities may choose to proactively resubmit a Top Screen prior to receiving notification from DHS.

Facilities are given 60 days to submit a new Top Screen.

To read more about CSAT 2.0, click here.