Today, the Infrastructure Security Compliance Division of DHS hosted a webinar on their new tiering methodology for CFATS facilities.
The presenters stated that the increases and decreases of theft/diversion and release-toxic chemicals of interest (COI) is due to improvements and implementation modeling data available to DHS. Facilities that possess Triethanolamine and MDEA, for example, will most likely be increased to Tier Two for theft/diversion chemical weapon precursor due to the implementation of the new modeling tools.
DHS began sending out letters to facilities earlier this month based on the new tiering methodology. Facilities are instructed to review their SSP/ASP to ensure that the existing security measures are sufficient for the tier level. If a facility determines that they need to resubmit their SSP/ASP, the facility has 30 days from the date of the letter to update the Security Vulnerability Assessment and Security Plan. Note: This deadline is not mentioned in the letters that our clients have received.
During Compliance Inspections, inspectors will verify that the security measures are appropriate to address all tiers, security issues and COI.
Feel free to contact us if more information or support is needed.
On October 1, 2016, DHS has reinstated the requirement to submit Top Screens using CSAT 2.0.
Starting today, October 4, 2016, DHS will begin notifying facilities that they have to submit a new Top Screen. However, facilities may choose to proactively resubmit a Top Screen prior to receiving notification from DHS.
Facilities are given 60 days to submit a new Top Screen.
To read more about CSAT 2.0, click here.
DHS has released an update to the upcoming launch of Chemical Security Assessment Tool 2.0 (CSAT 2.0). They state that in the coming months, DHS will be reaching out directly to facilities believed to maintain Chemicals of Interest (COI) at or above the threshold quantities. These facilities will be required to submit new Top Screens to DHS using the new CSAT 2.0 online tool.
What does this mean for you and your facility?
DHS suspended the requirement to submit Top Screens and Security Vulnerability Assessments (SVA) on July 20, 2016 to prepare for the launch of CSAT 2.0.
After the transition to CSAT 2.0 and the improved risk tiering methodology in October 2016, DHS will begin to individually notify “chemical facilities of interest” to resubmit a new Top Screen using CSAT 2.0. They state that chemical facilities of interest include facilities that were previously determined not to be high-risk. The letters will be issued through CSAT 2.0 to each facility’s designated CFATS Authorizer and Submitter in a phased manner over the course of several months.
DHS states that CSAT 2.0 will improve the integration between the CSAT SVA and Site Security Plan (SSP) surveys, streamlining the compliance process and reducing the burden associated with completing these surveys.
DHS will replace the current CSAT surveys with the revised surveys this fall.
- On October 1, 2016, DHS will reinstate the Top-Screen and SVA submission requirements.
- DHS will individually notify facilities in a phased manner to resubmit their Top-Screens using the new tool.
Training on CSAT 2.0
DHS will be hosting several webinars and presentations at several cities around the country to demonstrate the new tool.
- Part 1: CSAT Portal User Interface and Top-Screen
- Part 2: Security Vulnerability Assessment and Site Security Plan
- In September, DHS will post session dates, times, and locations
Picture a large manufacturing facility with a robust security infrastructure: access controlled gates and entry doors, security guards on post and roving, monitoring with CCTV cameras, and perimeter intrusion alarms. Here all employees have participated in security awareness briefings. Management decided to test their employee’s response to intrusion by conducting a Penetration Audit, and the results were disappointing. On the flip side however, the after action review with the employees was in itself a powerful training tool.
A consultant was hired who during the daytime climbed over the fence wearing street cloths and carrying a backpack and a clipboard. He wandered through various buildings and processing areas. As he walked he encountered more than a dozen employees. Many greeted him with a nod. Two employees stopped him and said that fire resistant attire (FRC) was required. The consultant said his FRC gear and hardhat were in the backpack and he would go change into them. One employee showed him the location of a change room for that purpose but did not stay with him.
No one asked what he was doing, who he was, and no one reported him to Security. The positive benefit came when management met with employees for an after-action review. One can bet that in the future strangers on site in this facility will be challenged and reported to security. One can also ask how different the outcome of the audit would have been if it were pre-announced.
Years ago, the security department at Apple hired a smart PI to test security. His mission was to get into the many facilities without screening by the lobby security guards, then leave out the same lobby obviously carrying a large box. On his first audit run nine of ten security officers failed to stop him. He was a glib talker wearing a suit and his demeanor intimidated most of the guards. Again, no one reported him to security management. As a Security Manager, I always preferred to pre-announce penetration audits and did so for the second run of the audit in a different set of buildings. This time, the auditor found the guard force tuned up and 90% of the guards did the job right, stopping the man, asking for ID, and escorting him out of the building.
The results of penetration audits can be surprising to management whether pass or fail. The value of these exercises as training moments that become imbedded in their long-term conduct is significant; either way – surprise audits or pre-announced penetration tests.
According to DHS, approximately 2,500 security plans have been approved as of April 15. DHS also states that at their current rate, the Department will have inspected and approved all submitted security plans within the next four months.
The CFATS program is moving forward with the implementation of the Personnel Surety Program, enhancements and updates to the Chemical Security Assessment Tool (CSAT), conducting Compliance Inspections (CI) (to read more about What to Expect During a CI, click here), and improving their methodology on risk-tiering for facilities.
CFATS Personnel Surety Program (PSP) Update
The Department released a Notice of Implementation on December 18, 2015 informing the public of their intention to implement the PSP. The program has been implemented in a phased manner, with Tier 1 and 2 facilities first then Tier 3 and 4 facilities later this year or in 2017. DHS will contact facilities on an individual basis to begin implementation of the Personnel Surety Program. Facilities should wait until they are contact by DHS before making any modifications to their security plans.
The first Compliance Inspection that included PSP implementation was conducted January 28, 2016 and the first updated security plan was approved on March 4, 2016.
To read more about the PSP, click here.
Effective Now – New Requirements for CFATS Facilities – RBPS 12, Personnel Surety
DHS announced and distributed new requirements for Personnel Surety compliance, a clarification and instructions on CFATS Risk Based Performance Standard 12 – Personnel Surety (basically background screening as it relates to federal terrorism databases).
This requirement applies to Tier One and Two High Risk facilities. Each Tier One and Two facility will receive individual letters from DHS giving more detailed requirements and setting individual facility deadlines for compliance, including implementation and amending Security Plans. Requirements for Tier Three and Four facilities will be announced at a later date.
The new requirement relates to RBPS 12(iv) – Measures designed to identify people with terrorist ties, and focuses on Affected Individuals, defined as “facility personnel and unescorted visitors with access to restricted areas or critical assets.” For many of our clients this means almost all employees and contractors working in their plants.
Facilities may choose one of four options to comply or may propose a combination or alternative plan for compliance.
The four options (explained in detail in the instruction) are summarized below:
- Option 1: DHS to Vet Affected Individuals
- Option 2: Affected Individuals Who Possess Certain Credentials
- Option 3: Electronic Verification of TWIC
- Option 4: Visual Verification of Credentials
The requirement (attached) is well written and reasonably easy to understand. However the devil is, as always, in the details, and there is a lot of detail. The overriding questions chemical companies will ask are how do we implement these screening requirements for existing employees, what action will we take if existing employees fail the federal checks, and how do we comply with limited people and resources? These questions and the options should to be discussed between Human Resources and Corporate Security.
We are preparing templates now to help facilitate this discussion and to provide suitable amendments for Site Security Plans.
Recently, we learned the following – the long-awaited new CFATS Top Screen Tool will be posted next month with regulatory activity to begin immediately.
DHS plans to publish the new Top Screen Tool requirements in the Federal Register in July. They expect the new tool to be available in September, pending OMB approval. ALL regulated and unregulated facilities will be impacted.
Note the following:
- Effective immediately DHS will suspend processing incoming Top Screens and SVAs.
- Contact DHS for an extension of any required submissions prior the release of the new Top Screen Tool.
- If you are involved in an acquisition or divestiture, reach out to the help desk firstname.lastname@example.org for assistance in how to proceed.
- During this suspension period of the current Top Screen Tool, facilities who need to “zero out” because they no longer meet the thresholds for Chemicals of Interest (COIs) should continue forward and may contact the DHS Help Desk at email@example.com assistance.
- Once the new tool is approved and released, DHS will notify regulated and unregulated facilities to update their information and will provide facilities with deadlines in a gradual rollout for both unregulated and regulated facilities.
- ** Once notified, companies will have 60 days to complete entering and submitting their information.
- Activities for gasoline only facilities remain on hold.
- And, during this interim period, inspections will continue.
For some time, the DHS Infrastructure Security Compliance Division (ISCD) has conducted Authorization Inspections of Tiered CFATS facilities. Recently, they began conducting actual Compliance Inspections of CFATS regulated facilities. The purpose of the Compliance Inspection is to verify and validate that the regulated facility is in compliance with its approved Site Security Plan (SSP) or Alternative Security Program (ASP).
Typically, DHS will not conduct a Compliance Inspection until all the completion dates for the facility’s Planned Security Measures have passed. However, it is possible they may schedule the inspection prior to the completion dates stated in the SSP/ASP. Facilities should be prepared to give the inspectors an update on the status of all Planned Security Measures. They may have to demonstrate that they will be able to meet the timelines stated in the approved security plan.
What to Expect During the Inspection
The inspectors will an in-brief at the beginning of the CI. This briefing will include confirmation of CVI status for personnel participating in the the CI, an overview of the purpose and intent of the inspection, what should be expected from DHS, what DHS expects from the facility, and a tentative plan on the inspection. Facilities should be prepared to present a basic overview of facility operations and brief description of the COIs and how they are used at the facility.
During the inspection process:
- Inspectors will review the Existing Security Measures to confirm they are implemented;
- Inspectors will want to know the status on all Planned Security Measures and will verify that they have been implemented;
- The facility will need to demonstrate they have implemented the procedures, policies and processes listed as Planned Measures in the Security Plan;
- They should have background check records available for all personnel that have access to the COIs or assets;
- They should have all required Records listed in RBPS 18 available for review, including:
- Drills and Exercise Records,
- Security Equipment Maintenance Records,
- Training Records,
- Inspectors will want to tour the facility to inspect the Physical Security features of the facility.
After the Compliance Inspection
Even though the actions the inspector(s) will take during and after the CI are very similar to that of the AI, it’s important to note, the CI process is different from the AI:
- The CI may lead to an enforcement action if the facility does not sufficiently implement the security measures as outlined in the approved security plan.
- Under normal circumstances, facilities will not need to edit their security plan following the CI. Edits are only necessary for significant changes in the security posture. Minor changes will be reflected in the inspection report or supplemental information provided by the facility.
- If a facility remains in compliance, DHS will issue the facility a “Post-Compliance Inspection Status” letter, notifying the facility of their continued compliance.
The inspectors are allowed to give the facility 30 days to solve any deficiencies or non-compliance issues that are discovered during the CI. Although, they will not provide a written leave-behind for the facility. So take good notes. The facility should expect a Post Inspection Status Letter from DHS stating if the facility is in compliance with the Security Plan and CFATS. The letter will also detail any findings or deficiencies found during the inspection that where not solved in the allotted 30-day extension.
This is a short trailer with clips from our “All Employees Security Awareness Training” video. This video is in compliance with the CFATS, MTSA, TSA Pipeline, and DOT security standards.
We can customize the video with client and/or site specific images and video branding.
DG&A Security Awareness Video Trailer from Don Greenwood & Associates, Inc. on Vimeo.