Last week the DHS Infrastructure Security Compliance Division posted a link to a new version of the Chemical Security Assessment Tool (CSAT) 2.0 Portal User Manual.
Read more here.
Recently DHS released their Fall Quarterly Update providing more detail on the implementation of the CFATS program.
As of September 1, 2017, CFATS covers 3,478 facilities. DHS has completed more than 2,700 Compliance Inspections (to read more about Compliance Inspections, click here). Since launching CSAT 2.0 a year ago, DHS has received more than 25,000 CSAT Top Screens. DHS is continuing to issue tiering letters to facilities as their Top Screens are received and reviewed.
You can read more about CSAT 2.0 here.
One topic discussed in the update in the new questions that facilities will need to answer when submitting a new or revised SVA/SSP.
When submitting the SSP, the new questions facilities will need to address include:
In addition to these new SSP question, facilities are asked to select whether a certain detection and delay security measure applies to perimeter and/or critical assets. The following SSP questions should be reviewed to ensure the location(s) are correctly associated with the security measures applied:
Personnel Surety Program (PSP)
Tier 1 and Tier 2 facilities will see questions that address RBPS 12(iv), screening for terrorist ties. Questions Q3.50.330 through Q3.50.550 allow facilities to identify the option(s) chosen and measure(s) used to implement those options for compliance with RBPS 12(iv). To read more about those options, click here.
Additionally, DHS is going to integrate the Personnel Surety Program into the CSAT 2.0 Portal. This should make it much easier and provide better functionality for the user.
Chiefs of Regulatory Compliance
DHS also announced in this update that they have hired Chiefs of Regulatory Compliance (CRCs) for majority of their Regional Offices. CRCs will serve as the lead DHS representatives administering the CFATS regulation and serving as advisors to the Office of Infrastructure Protection Regional Directors.
Feel free to contact us if more information or support is needed.
On April 4, 2017, the Department of Homeland Security (DHS) began issuing tiering notifications to Chemical Facility Anti- Terrorism Standards (CFATS) regulated facilities based on the results of DHS’s new enhanced risk-tiering methodology.
To date, approximately 12,000 updated Top-Screens have been received from the 27,000 facilities that previously reported holdings of chemicals of interest (COI) at or above the screening threshold quantity.
DHS has sent out over 10,000 tiering determination letters to facilities that have submitted new Top-Screens. Tiering letters are being prioritized based on when DHS received the facility Top-Screen, upcoming compliance inspection schedules, and to consider workload for submitters that have a high number of covered facilities with changes.
Over the next 18 months we will continue to notify facilities of the requirement to submit new Top-Screens and issue tiering decisions on a rolling basis.
I’ve Received a Tiering Letter, Now What?
As facilities receive tiering letters, their next steps will depend on their results.
Facilities new to the CFATS program will be required to submit security plans. If a current facility receives a revised tiering assessment, it does not necessarily mean that it will be required to submit a Site Security Plan (SSP)/Alternative Security Program (ASP).
Facilities should review their tiering letter along with their approved SSP/ASP to determine whether it meets the security measures associated with all the chemicals of interest (COI), specific security issues (Theft/Diversion, Release, or Sabotage), and tiers in the letter. If not, an SSP/ASP update may be required.
Examples of situations in which a facility will need to update its SSP may include:
For example, if a facility possesses chlorine tiered for “theft/diversion” but now must also account for chlorine as a “release” concern, the existing SSP/ASP would need to be revised to include security measures to address risks associated with release COI.
DHS will assess facilities on a case-by-case basis to ensure security measures are appropriate to their level of risk.
According to DHS, approximately 2,500 security plans have been approved as of April 15. DHS also states that at their current rate, the Department will have inspected and approved all submitted security plans within the next four months.
The CFATS program is moving forward with the implementation of the Personnel Surety Program, enhancements and updates to the Chemical Security Assessment Tool (CSAT), conducting Compliance Inspections (CI) (to read more about What to Expect During a CI, click here), and improving their methodology on risk-tiering for facilities.
CFATS Personnel Surety Program (PSP) Update
The Department released a Notice of Implementation on December 18, 2015 informing the public of their intention to implement the PSP. The program has been implemented in a phased manner, with Tier 1 and 2 facilities first then Tier 3 and 4 facilities later this year or in 2017. DHS will contact facilities on an individual basis to begin implementation of the Personnel Surety Program. Facilities should wait until they are contact by DHS before making any modifications to their security plans.
The first Compliance Inspection that included PSP implementation was conducted January 28, 2016 and the first updated security plan was approved on March 4, 2016.
To read more about the PSP, click here.
Effective Now – New Requirements for CFATS Facilities – RBPS 12, Personnel Surety
DHS announced and distributed new requirements for Personnel Surety compliance, a clarification and instructions on CFATS Risk Based Performance Standard 12 – Personnel Surety (basically background screening as it relates to federal terrorism databases).
This requirement applies to Tier One and Two High Risk facilities. Each Tier One and Two facility will receive individual letters from DHS giving more detailed requirements and setting individual facility deadlines for compliance, including implementation and amending Security Plans. Requirements for Tier Three and Four facilities will be announced at a later date.
The new requirement relates to RBPS 12(iv) – Measures designed to identify people with terrorist ties, and focuses on Affected Individuals, defined as “facility personnel and unescorted visitors with access to restricted areas or critical assets.” For many of our clients this means almost all employees and contractors working in their plants.
Facilities may choose one of four options to comply or may propose a combination or alternative plan for compliance.
The four options (explained in detail in the instruction) are summarized below:
The requirement (attached) is well written and reasonably easy to understand. However the devil is, as always, in the details, and there is a lot of detail. The overriding questions chemical companies will ask are how do we implement these screening requirements for existing employees, what action will we take if existing employees fail the federal checks, and how do we comply with limited people and resources? These questions and the options should to be discussed between Human Resources and Corporate Security.
We are preparing templates now to help facilitate this discussion and to provide suitable amendments for Site Security Plans.