Category Archives: Facility Security Officer

Chemical Sector Security Summit

For the first time after 10 years, the annual Chemical Sector Security Summit will be held outside the D.C. area in Houston, Texas. The summit is scheduled to take place in July 2017.

This year’s Summit will feature vital chemical security information for 2017 and beyond, while bringing together industry owners and operators, key government officials, first responders, and law enforcement to engage in face-to-face discussions and share the latest in security best practices.

Summit registration will open in spring 2017, along with updates on the venue, agenda, and speakers.

For more information, click here.

CFATS Quarterly Update

On April 4, 2017, the Department of Homeland Security (DHS) began issuing tiering notifications to Chemical Facility Anti- Terrorism Standards (CFATS) regulated facilities based on the results of DHS’s new enhanced risk-tiering methodology.

To date, approximately 12,000 updated Top-Screens have been received from the 27,000 facilities that previously reported holdings of chemicals of interest (COI) at or above the screening threshold quantity.

DHS has sent out over 10,000 tiering determination letters to facilities that have submitted new Top-Screens. Tiering letters are being prioritized based on when DHS received the facility Top-Screen, upcoming compliance inspection schedules, and to consider workload for submitters that have a high number of covered facilities with changes.

Over the next 18 months we will continue to notify facilities of the requirement to submit new Top-Screens and issue tiering decisions on a rolling basis.

I’ve Received a Tiering Letter, Now What?

As facilities receive tiering letters, their next steps will depend on their results.

Facilities new to the CFATS program will be required to submit security plans. If a current facility receives a revised tiering assessment, it does not necessarily mean that it will be required to submit a Site Security Plan (SSP)/Alternative Security Program (ASP).

Facilities should review their tiering letter along with their approved SSP/ASP to determine whether it meets the security measures associated with all the chemicals of interest (COI), specific security issues (Theft/Diversion, Release, or Sabotage), and tiers in the letter. If not, an SSP/ASP update may be required.

Examples of situations in which a facility will need to update its SSP may include:

  • Facilities that add a newly tiered COI, which is located in a new asset area not currently addressed in the SSP/ASP;
  • Facilities that increase in tier and do not have sufficient security measures to account for the higher tier;
  • Facilities with an added security concern from a current COI that lacks sufficient security measures to account for the new security concern.

For example, if a facility possesses chlorine tiered for “theft/diversion” but now must also account for chlorine as a “release” concern, the existing SSP/ASP would need to be revised to include security measures to address risks associated with release COI.

DHS will assess facilities on a case-by-case basis to ensure security measures are appropriate to their level of risk.

2017 Port Security Grant Program (PSGP) Update 2.0 – May 2017

Port Security Grants possibly announced in two weeks.

FEMA Grant Programs Directorate provided a presentation regarding the FY2017 Port Security Grant Program (PSGP).

Summary:

  • Announcement expected May 19, 2017.
  • Grants will need to be submitted to FEMA by June 19, 2017.
  • Anticipated to be for the same amount as FY2016, $100,000,000.00.
  • Funding priorities remain the same as 2016:
    • Enhancing Maritime Domain Awareness
    • TWIC Readers
    • Cybersecurity Capabilities
    • Training and Exercises, etc.
  • Cost sharing remains the same as 2016, 25/75 split.

To read more about the PSCP, click here and here.

DHS Tiering Methodology

Today, the Infrastructure Security Compliance Division of DHS hosted a webinar on their new tiering methodology for CFATS facilities.

The presenters stated that the increases and decreases of theft/diversion and release-toxic chemicals of interest (COI) is due to improvements and implementation modeling data available to DHS. Facilities that possess Triethanolamine and MDEA, for example, will most likely be increased to Tier Two for theft/diversion chemical weapon precursor due to the implementation of the new modeling tools.

DHS began sending out letters to facilities earlier this month based on the new tiering methodology. Facilities are instructed to review their SSP/ASP to ensure that the existing security measures are sufficient for the tier level. If a facility determines that they need to resubmit their SSP/ASP, the facility has 30 days from the date of the letter to update the Security Vulnerability Assessment and Security Plan. Note: This deadline is not mentioned in the letters that our clients have received.

 During Compliance Inspections, inspectors will verify that the security measures are appropriate to address all tiers, security issues and COI.

Feel free to contact us if more information or support is needed.

TWIC Reader Clarification

Recently the Coast Guard shared a blog post to clarify the TWIC Reader Requirements Final Rule regarding CDC facilities.

The rule applies to facilities that are considered a Certain Dangerous Cargo (CDC) facility. These facilities are designated as Risk Group A facilities and will be expected to comply with the TWIC reader rule requirements effective August 23, 2018.

The blog post clarifies what a CDC facility is. According to PAC Decision 20-04 Certain Dangerous Cargo Facilities, in “order for a facility to be classified as a CDC facility, a vessel-to-facility interface must occur, or be capable of occurring, and involve the transfer of CDC’s in bulk”.

Blog can be read here and PAC 20-04 can be found here. To read more about the TWIC Reader Requirements Final Rule, click here.

2017 Port Security Grant Program (PSGP) Update

Last year the 2016 PSGP Notice of Funding Opportunity (NOFO) was released mid-February and applications had to be submitted by late April. It looks like this year, we will have to wait until late April or early May before the NOFO is released.

DHS/FEMA has an approved budget of $93 million for the 2017 PSGP, but are currently operating under a Continuing Resolution. The 2017 PSGP documents have been prepared and some are posted in draft. However, the actual launch of the program until the federal budget is approved. Again, this is expected in April.

This delay should not keep applicants from making sure their registrations are up to date and making sure they have a plan in place. This gives applicants more time to prepare their Investment Justifications (IJs) and ensure that their project budgets are ready to go when the NOFO is released.

To read more about preparing for the 2017 PSGP, click here.

USCG Issues Policy Regarding Reporting Suspicious Activity and Breaches of Security

This is CG-5P Policy Letter 08_16.   It discusses requirements and guidelines as summarized below for MTSA regulated ports.  The regulatory standing is quoted as 33 CFR 46, 70103.  It is dated December 14 and was distributed on January 16.  This renewed focus includes reporting requirements for cyberattacks and Unmanned Aircraft Systems activity.

The stated purpose of the letter is to “Promulgate policy for use by Maritime Transportation Security Act (MTSA) regulated vessels and facilities outlining the criteria and process for suspicious activity (SA) and breach of security (BoS) reporting”.

It states, “An owner or operator of a vessel or facility that is required to maintain an approved security plan . . . (a) shall, without delay, report activities that may result in a Transportation Security Incident (TSI) to the National Response Center (NRC), including SA or a BoS. And, (b), the Facility Security Plan (FSP) shall . . . be consistent with the requirements of the National Transportation Security Plan and Area Maritime Transportation Security Plans.”

“The COTP will affirm consistency to help ensure alignment of SA and BoS communication procedures within FSPs throughout their area of responsibility.” 

Regarding cyber activity the letter states, The target and intent of malicious cyber activity can be difficult to discern. The fact that business and administrative systems may be connected to operational, industrial control and security systems further complicates this matter. The Coast Guard strongly encourages vessel and facility operators to minimize, monitor, and wherever possible, eliminate any such connections.

The letter goes on to describe U. S. Coast Guard requirements for reporting BoS and SA for both physical and network or computer-related events.  The U.S. Coast Guard regulations define a breach of security as “an incident that has not resulted in a TSI but in which security measures have been circumvented, eluded, or violated.” This definition includes the breach of telecommunications equipment, computer, and networked system security measures where those systems conduct or support functions described in vessel or facility security plans or where successful defeat or exploitation of the systems could result or contribute to a TSI.

BoS incidents may include, but are not limited to, any of the following:

  •  Unauthorized access to regulated areas;
  • Unauthorized circumvention of security measures;
  • Acts of piracy and/or armed robbery against ships;
  • Intrusion into telecommunications equipment, computer, and networked systems linked to security plan functions (e.g., access control, cargo control, monitoring), unauthorized root or administrator access to security and industrial control systems, successful phishing attempts or malicious insider activity that could allow outside entities access to internal IT systems that are linked to the MTS;
  • Instances of viruses, Trojan Horses, worms, zombies or other malicious software that have a widespread impact or adversely affect one or more on-site mission critical servers that are linked to security plan functions; and/or
  • Any denial of service attacks that Any denial of service attacks that adversely affect or degrade access to critical services that are linked to security plan functions.

 The letter contains lists of Suspicious Activities and Breaches of Security that should be reported and concludes with a Glossary of Terms.

Click here  for the complete document.

Get Ready Now for 2017 Port Security Grants

It is not too soon to start the registration processes.

The Administration has budgeted $93 million for port security grant awards in 2017.
It is not too soon to begin the application process. Typically, the schedule goes like this:

  • Mid-February the Grant Program is announced, Instructions are posted, and the application period begins. The 2016 application period began on February 17.
  • Late April – the application period closes. In 2016 the application deadline was April 25th.

However, before a facility can upload a grant application they must:

  • Obtain and/or verify the DUNS number for the specific facility and business unit involved. Your legal or tax department may be able to help with this.
  • Register in the government’s System for Award Management (SAM.gov).  FEMA states, “It may take 4 weeks or more after the submission of a SAM registration before the registration becomes active in SAM.gov, then an additional 24 hours for Grants.gov to recognize the information.”
  • Once the SAM’s registration is complete, register and set up an account in a second government web-portal, Grants.gov.  Receive an account log in and password.
  • Once the Grants.gov registration is complete and approved, use that account to set up a third registration in a third government web portal, NDGrants.gov (the site to specifically upload “non-disaster” grants.  All application documentation will be uploaded through NDGrants.gov.  This is also the portal wherein the FEMA officials will communicate with the applicant.

Is it worth doing? Absolutely YES!

Don Greenwood & Associates Inc. has an excellent track record in applying for and winning grants for our clients. In 2016, we developed and submitted several grant applications for a total of $3 million in awards.

Of special interest to DHS in 2016 were applications that included funds for cyber security protections, as well as the fundamentals – access control, gates, TWIC readers, etc.

Let’s get started. Before we can develop an application we need to discuss your facility, what is needed, and whether or not your needs meet the grant priorities. Successful grant writing is more an art than a science. Give us a call at 832-717-4404 or email don@greenwoodsecurity.com.

DHS Reinstates Top Screen Requirements

On October 1, 2016, DHS has reinstated the requirement to submit Top Screens using CSAT 2.0.

Starting today, October 4, 2016, DHS will begin notifying facilities that they have to submit a new Top Screen. However, facilities may choose to proactively resubmit a Top Screen prior to receiving notification from DHS.

Facilities are given 60 days to submit a new Top Screen.

To read more about CSAT 2.0, click here.

CSAT 2.0 Update: Changes Coming in October

DHS has released an update to the upcoming launch of Chemical Security Assessment Tool 2.0 (CSAT 2.0). They state that in the coming months, DHS will be reaching out directly to facilities believed to maintain Chemicals of Interest (COI) at or above the threshold quantities. These facilities will be required to submit new Top Screens to DHS using the new CSAT 2.0 online tool.

What does this mean for you and your facility?

DHS suspended the requirement to submit Top Screens and Security Vulnerability Assessments (SVA) on July 20, 2016 to prepare for the launch of CSAT 2.0.

After the transition to CSAT 2.0 and the improved risk tiering methodology in October 2016, DHS will begin to individually notify “chemical facilities of interest” to resubmit a new Top Screen using CSAT 2.0. They state that chemical facilities of interest include facilities that were previously determined not to be high-risk. The letters will be issued through CSAT 2.0 to each facility’s designated CFATS Authorizer and Submitter in a phased manner over the course of several months.

DHS states that CSAT 2.0 will improve the integration between the CSAT SVA and Site Security Plan (SSP) surveys, streamlining the compliance process and reducing the burden associated with completing these surveys.

Next Steps

 DHS will replace the current CSAT surveys with the revised surveys this fall.

  • On October 1, 2016, DHS will reinstate the Top-Screen and SVA submission requirements.
  • DHS will individually notify facilities in a phased manner to resubmit their Top-Screens using the new tool.

Training on CSAT 2.0

DHS will be hosting several webinars and presentations at several cities around the country to demonstrate the new tool.

Webinars:

In-Person Demonstrations:

  • In September, DHS will post session dates, times, and locations