Category Archives: Inspections

3 Tips for a Successful USCG Inspection

Many companies aren’t prepared when they receive a letter from the U.S. Coast Guard notifying them of an upcoming facility security inspection. You might have documents that are out of date, or you may be missing the necessary forms. If left unchecked, you could be forced to waste time and money in enforcing corrective actions. When it comes to advising our clients to be prepared, these are the top three tips we give them for a successful USCG Inspection.

Review Your Documents

When you receive a notice from the USCG about an upcoming inspection, this is always a good time to review your FSP and required documents to make sure that you have everything in order. Also, this is a good time to verify that you have conducted the required quarterly drills, annual exercise, and annual audit of the FSP.

Training Moment

Training is very important for facility personnel and this is a good opportunity to make sure all your training is up to date and to have a general discussion regarding security of the facility. The training can focus on topics that will most likely be covered during the inspection; including TWIC, screening, security personnel (who is the FSO, Alt. FSO?), MARSEC security measures, etc.

Organize

One thing that we recommend and develop for majority of our clients is to have a single security plan binder with all relevant documents and forms. This is a perfect, centralized place to store and secure all the forms and documents that the USCG will want to review during the inspection. We have had great success with these binders for all of our regulated clients; MTSA, CFATS, TSA, DOT, etc. As we tell our clients, it is best to get the inspectors the requested material in a timely fashion and get the inspection over with as quickly as possible.

Recently one of our clients had a US Coast Guard inspection that they passed without any issues, “We went through our MARSEC book while the USCG was here and we were complimented on how all the files for MARSEC were in one book and not in different locations.  We didn’t spend much time with it, because everything was in the binder that they had questions about. “

Let us know if we can help you prepare for USCG Security Inspection and develop a security binder for you and help you succeed with your inspections.

Changes in USCG Leadership Indicate Strong Continued Interest in Port Security

  • Rear Adm. Paul Thomas moves from Prevention Policy to command of the Eighth District – New Orleans.
  • Rear Adm. John Nadeau assumes position as assistant commandant for Prevention Policy.

Rear Adm. Paul Thomas, in an article posted in Maritime Commons, stated:

This week marks my last as assistant commandant for prevention policy. I assume command of the Coast Guard’s Eighth District in mid-August. It has been a distinct privilege to lead and represent the men and women of the U.S. Coast Guard who are dedicated to ensure our national security and economic prosperity by ensuring the safety, security and environmental soundness of our Marine Transportation System globally . . .Thank you for your professional and productive relationship with the U.S. Coast Guard.

About Rear Admiral Nadeau, Thomas stated:

I am pleased to introduce Rear Adm. John Nadeau as the new assistant commandant for prevention policy effective today. His most recent assignment was as assistant commandant for capability, where he was responsible for identifying and sourcing new and extended capabilities, competencies, and capacity to meet mission requirements. Prior to that, he served as commanding officer of the Coast Guard Marine Safety Center where he led the review and approval of plans for the design, construction, alteration, and repair of U.S. and foreign flag commercial vessels subject to U.S. laws, regulations, and international standards. Rear Adm. Nadeau’s other assignments cover the full spectrum of marine safety and inspections and span the bulk of his nearly three decades long career: chief of inspections, senior investigating officer, MSU commanding officer, captain of the port and federal on scene coordinator, Officer In Charge, Marine Inspection, and chief of the Office of Design and Engineering Standards.

In summary: Prevention Policy is assumed by a strong advocate for robust port security with a background in marine safety and inspection, and the command of District Eight is assumed by the former assistant commandant for prevention policy.  These moves indicate a strong continued interest in port security programs.

CFATS Quarterly Update

On April 4, 2017, the Department of Homeland Security (DHS) began issuing tiering notifications to Chemical Facility Anti- Terrorism Standards (CFATS) regulated facilities based on the results of DHS’s new enhanced risk-tiering methodology.

To date, approximately 12,000 updated Top-Screens have been received from the 27,000 facilities that previously reported holdings of chemicals of interest (COI) at or above the screening threshold quantity.

DHS has sent out over 10,000 tiering determination letters to facilities that have submitted new Top-Screens. Tiering letters are being prioritized based on when DHS received the facility Top-Screen, upcoming compliance inspection schedules, and to consider workload for submitters that have a high number of covered facilities with changes.

Over the next 18 months we will continue to notify facilities of the requirement to submit new Top-Screens and issue tiering decisions on a rolling basis.

I’ve Received a Tiering Letter, Now What?

As facilities receive tiering letters, their next steps will depend on their results.

Facilities new to the CFATS program will be required to submit security plans. If a current facility receives a revised tiering assessment, it does not necessarily mean that it will be required to submit a Site Security Plan (SSP)/Alternative Security Program (ASP).

Facilities should review their tiering letter along with their approved SSP/ASP to determine whether it meets the security measures associated with all the chemicals of interest (COI), specific security issues (Theft/Diversion, Release, or Sabotage), and tiers in the letter. If not, an SSP/ASP update may be required.

Examples of situations in which a facility will need to update its SSP may include:

  • Facilities that add a newly tiered COI, which is located in a new asset area not currently addressed in the SSP/ASP;
  • Facilities that increase in tier and do not have sufficient security measures to account for the higher tier;
  • Facilities with an added security concern from a current COI that lacks sufficient security measures to account for the new security concern.

For example, if a facility possesses chlorine tiered for “theft/diversion” but now must also account for chlorine as a “release” concern, the existing SSP/ASP would need to be revised to include security measures to address risks associated with release COI.

DHS will assess facilities on a case-by-case basis to ensure security measures are appropriate to their level of risk.

DHS Tiering Methodology

Today, the Infrastructure Security Compliance Division of DHS hosted a webinar on their new tiering methodology for CFATS facilities.

The presenters stated that the increases and decreases of theft/diversion and release-toxic chemicals of interest (COI) is due to improvements and implementation modeling data available to DHS. Facilities that possess Triethanolamine and MDEA, for example, will most likely be increased to Tier Two for theft/diversion chemical weapon precursor due to the implementation of the new modeling tools.

DHS began sending out letters to facilities earlier this month based on the new tiering methodology. Facilities are instructed to review their SSP/ASP to ensure that the existing security measures are sufficient for the tier level. If a facility determines that they need to resubmit their SSP/ASP, the facility has 30 days from the date of the letter to update the Security Vulnerability Assessment and Security Plan. Note: This deadline is not mentioned in the letters that our clients have received.

 During Compliance Inspections, inspectors will verify that the security measures are appropriate to address all tiers, security issues and COI.

Feel free to contact us if more information or support is needed.

Get Ready Now for 2017 Port Security Grants

It is not too soon to start the registration processes.

The Administration has budgeted $93 million for port security grant awards in 2017.
It is not too soon to begin the application process. Typically, the schedule goes like this:

  • Mid-February the Grant Program is announced, Instructions are posted, and the application period begins. The 2016 application period began on February 17.
  • Late April – the application period closes. In 2016 the application deadline was April 25th.

However, before a facility can upload a grant application they must:

  • Obtain and/or verify the DUNS number for the specific facility and business unit involved. Your legal or tax department may be able to help with this.
  • Register in the government’s System for Award Management (SAM.gov).  FEMA states, “It may take 4 weeks or more after the submission of a SAM registration before the registration becomes active in SAM.gov, then an additional 24 hours for Grants.gov to recognize the information.”
  • Once the SAM’s registration is complete, register and set up an account in a second government web-portal, Grants.gov.  Receive an account log in and password.
  • Once the Grants.gov registration is complete and approved, use that account to set up a third registration in a third government web portal, NDGrants.gov (the site to specifically upload “non-disaster” grants.  All application documentation will be uploaded through NDGrants.gov.  This is also the portal wherein the FEMA officials will communicate with the applicant.

Is it worth doing? Absolutely YES!

Don Greenwood & Associates Inc. has an excellent track record in applying for and winning grants for our clients. In 2016, we developed and submitted several grant applications for a total of $3 million in awards.

Of special interest to DHS in 2016 were applications that included funds for cyber security protections, as well as the fundamentals – access control, gates, TWIC readers, etc.

Let’s get started. Before we can develop an application we need to discuss your facility, what is needed, and whether or not your needs meet the grant priorities. Successful grant writing is more an art than a science. Give us a call at 832-717-4404 or email don@greenwoodsecurity.com.

The Security Guard Audit

A few weeks ago, USCG officers arrived at a regulated facility, and observed the main gate security officer not inspecting and validating TWIC cards, and not conducting vehicle inspections as required in the Facility Security Plan. For a moment, the USCG considered shutting down the facility. Recently the USCG also released a list on common MTSA Facility Violations.

We are often retained to conduct brief audits and training moments with entry guards. It works like this: one of us arrives at the entry point and observes security checking in and admitting people to the facility. Then we check in ourselves and spend a few moments with security management to relay our findings. Within moments, we return to the security post, explain that we just conducted an audit and spend a few moments renewing their training. These moments are powerful training tools that will not soon be forgotten. Ken Blanchard, the author of The One Minute Manager, said that supervisors should make every encounter with their staff a learning moment:

  • Catch them doing something wrong, quickly reprimand and then take a moment to retrain.
  • Catch them doing something right, quickly praise and let them know what they did so well.
  • Or, just stop by for a one minute reminder on a procedure or conduct that is important.

Penetration audits can give some indication of how well personnel are performing, but the real value comes from the training that results.

The Penetration Audit – A Powerful Training Tool

Picture a large manufacturing facility with a robust security infrastructure: access controlled gates and entry doors, security guards on post and roving, monitoring with CCTV cameras, and perimeter intrusion alarms. Here all employees have participated in security awareness briefings. Management decided to test their employee’s response to intrusion by conducting a Penetration Audit, and the results were disappointing. On the flip side however, the after action review with the employees was in itself a powerful training tool.

A consultant was hired who during the daytime climbed over the fence wearing street cloths and carrying a backpack and a clipboard. He wandered through various buildings and processing areas. As he walked he encountered more than a dozen employees. Many greeted him with a nod. Two employees stopped him and said that fire resistant attire (FRC) was required. The consultant said his FRC gear and hardhat were in the backpack and he would go change into them. One employee showed him the location of a change room for that purpose but did not stay with him.

No one asked what he was doing, who he was, and no one reported him to Security. The positive benefit came when management met with employees for an after-action review. One can bet that in the future strangers on site in this facility will be challenged and reported to security. One can also ask how different the outcome of the audit would have been if it were pre-announced.

Years ago, the security department at Apple hired a smart PI to test security. His mission was to get into the many facilities without screening by the lobby security guards, then leave out the same lobby obviously carrying a large box. On his first audit run nine of ten security officers failed to stop him. He was a glib talker wearing a suit and his demeanor intimidated most of the guards. Again, no one reported him to security management. As a Security Manager, I always preferred to pre-announce penetration audits and did so for the second run of the audit in a different set of buildings. This time, the auditor found the guard force tuned up and 90% of the guards did the job right, stopping the man, asking for ID, and escorting him out of the building.

The results of penetration audits can be surprising to management whether pass or fail. The value of these exercises as training moments that become imbedded in their long-term conduct is significant; either way – surprise audits or pre-announced penetration tests.

USCG Inspections and FSO Readiness

A few weeks ago, USCG officers arrived at a regulated facility, and observed the main gate security officer not inspecting and validating TWIC cards, and not conducting vehicle inspections as required in the Facility Security Plan. For a moment, the USCG considered shutting down the facility. Recently the USCG also released a list on common MTSA Facility Violations.

The Facility Security Officer (FSO) should expect the USCG to conduct at least two inspections per year. Typically, one inspection will be scheduled with the facility and the other will be an unannounced inspection. These unannounced inspections typically occur at night. The FSO must ensure that their facility, FSP, and records are prepared for the USCG inspections.

Prior to the inspection, the FSO should review the FSP and confirm that all information is up to date and correct. The FSO should also verify that all pertinent documents and records are in order and have the required Sensitive Security Information (SSI) labeling. The FSO will need to ensure that all drills, exercises, audits, security equipment tests, etc. have been properly conducted and recorded.

The FSO will also want to ensure that facility personnel, including security guards, have been properly trained according to the regulation and are prepared to answer questions if asked by USCG officers.

Most deficiencies are typically discovered during the required Annual Audit of the FSP. The MTSA regulation requires facilities to conduct an annual audit and that the person(s) conducting the audit are independent of any security measures being implemented at the facility.

Don Greenwood & Associates, Inc. has provided security assessments, plans and training for hundreds of Facility Security Officers and security-related personnel as mandated in the Maritime Transportation Security Act (MTSA). We also have a full set of compliance tools including training PowerPoints, Assessment Templates, and have produced employee training videos for several petrochemical companies.

CFATS Update

According to DHS, approximately 2,500 security plans have been approved as of April 15. DHS also states that at their current rate, the Department will have inspected and approved all submitted security plans within the next four months.

The CFATS program is moving forward with the implementation of the Personnel Surety Program, enhancements and updates to the Chemical Security Assessment Tool (CSAT), conducting Compliance Inspections (CI) (to read more about What to Expect During a CI, click here), and improving their methodology on risk-tiering for facilities.

CFATS Personnel Surety Program (PSP) Update

 The Department released a Notice of Implementation on December 18, 2015 informing the public of their intention to implement the PSP. The program has been implemented in a phased manner, with Tier 1 and 2 facilities first then Tier 3 and 4 facilities later this year or in 2017. DHS will contact facilities on an individual basis to begin implementation of the Personnel Surety Program. Facilities should wait until they are contact by DHS before making any modifications to their security plans.

The first Compliance Inspection that included PSP implementation was conducted January 28, 2016 and the first updated security plan was approved on March 4, 2016.

To read more about the PSP, click here.

Common MTSA Facility Violations

Recently the Coast Guard listed the most common MTSA Facility Violations.  This is a good list to ensure your program is ready for their next inspection.  This is also a good list to pass on to the guard force:

Typical deficiencies areas:

  • Access Control
  • Restricted Areas
  • Drills and Exercises
  • Owner/Operator Requirements
  • Audits and VSP/FSP Amendments

Most common deficiencies noted on inspection are:

Failure to secure access points:

  • Gates left open or unattended.
  • Facilities failing to provide an escort for persons without TWIC.

Failure to check identification:

  • Individuals gaining access to facilities by piggy backing.
  • Security personnel failing to properly screen vehicles and personnel entering the facility.

Damage to perimeter fencing:

  • Holes found in perimeter fence.
  • Vegetation growing over fence line, allowing unauthorized access to occur.
  • Emergency egress gates not secure.

Missing signage:

  • Missing or improperly placed Secure Area and Restricted Area signage.

Misunderstanding or not knowing the security procedures as stated in the approved FSP:

  • Facility personnel or contract guard services failing to conduct screening at the rate specified in their FSP.
  • Facility personnel or contract guard services not properly trained on relevant provisions of the FSP.

Restricted Areas not properly marked.

  • Areas where FSP is stored (offices, file cabinets, etc.) not containing proper signage designating the area as a Restricted Area.
  • Facilities missing “Restricted Area” signage, for example:
    • Facility perimeter
    • Server rooms
    • Control centers

Not storing required documentation within a Restricted Area:

  • Sensitive Security Information (SSI) not kept in an area designated as a Restricted Area.

Drills and Exercises:

  • Failing to perform security drills in 3 month intervals.
  • Failing to perform an annual security exercise.
  • Failing to label drill and exercise documentation as SSI and store properly.
  • Failure to maintain drill and exercise records.

Improper notifications to USCG:

  • Breaches of security not immediately reported to USCG or National Response Center.
  • FSPs not being submitted for renewal prior to the expiration date.
  • FSPs containing unapproved changes and amendments.

Training:

  • Facility owners or operators failing to notify facility employees of what parts of the facility are secure areas and public access areas and ensuring such areas are clearly marked.
  • Facilities failing to train personnel with security duties; including facility personnel, contract security guard service, and/or TWIC escort companies on relevant provisions of the FSP.

Proper FSP Updating:

  • Owner/Operator failing to ensure annual audits of the FSP are conducted by persons with requisite knowledge as required by the regulation.
  • Current list of FSOs not updated in the FSP.
  • Owner/Operator section of FSP missing TWIC requirements.
  • Failing to designate a FSO and failing to designate a 24hr contact number for FSO.

Proper Implementation of FSP:

  • Owner/Operator failing to ensure that the facility operates in accordance with the approved FSP.
  • Facilities failing to follow incident procedures outlined in approved FSP.
  • Facilities failing to provide security personnel with the ability to monitor video surveillance systems per approved FSP.

Failure to conduct annual audits:

  • Facilities failing to conduct an annual audit of the FSP.
  • Failing to provide certifying documentation of annual audit.
  • Failing to follow audit requirements in accordance with the regulation.
  • Facilities failing to review the FSP and submit changes to the USCG for approval.
  • Failing to update the FSA each time the FSP is submitted for revisions.

Remember, an FSP is not a “binder on the shelf”, but a security operating plan that must be fully implemented and followed in every day operations.