Category Archives: SSO

CFATS Quarterly Update

Recently DHS released their Fall Quarterly Update providing more detail on the implementation of the CFATS program.

CFATS Update

As of September 1, 2017, CFATS covers 3,478 facilities. DHS has completed more than 2,700 Compliance Inspections (to read more about Compliance Inspections, click here). Since launching CSAT 2.0 a year ago, DHS has received more than 25,000 CSAT Top Screens. DHS is continuing to issue tiering letters to facilities as their Top Screens are received and reviewed.

You can read more about CSAT 2.0 here.

SVA/SSP Questions

One topic discussed in the update in the new questions that facilities will need to answer when submitting a new or revised SVA/SSP.

When submitting the SSP, the new questions facilities will need to address include:

  • Q3.10.050 Personnel Presence
  • Q3.10.400 through Q3.10.420 Inventory Controls
  • Q3.40.400 through Q3.40.430 Cyber Control and Business Systems
  • Q3.50.320 Personnel Surety, Types of Affected Individuals
  • Q3.50.710 Recordkeeping Affirmation

In addition to these new SSP question, facilities are asked to select whether a certain detection and delay security measure applies to perimeter and/or critical assets. The following SSP questions should be reviewed to ensure the location(s) are correctly associated with the security measures applied:

  • Q3.10.070 Mobile Patrols
  • Q3.10.120 Intrusion Detection Systems
  • Q3.10.180 through Q3.10.230 Intrusion Detection Sensors
  • Q3.10.290 and Q3.10.310 Closed Circuit Television
  • Q3.20.030 through Q3.20.160 Perimeter Security
  • Q3.20.430 and Q3.20.440 Access Control Systems
  • Q3.20.560 Anti-Vehicle Measures

Personnel Surety Program (PSP)

Tier 1 and Tier 2 facilities will see questions that address RBPS 12(iv), screening for terrorist ties. Questions Q3.50.330 through Q3.50.550 allow facilities to identify the option(s) chosen and measure(s) used to implement those options for compliance with RBPS 12(iv). To read more about those options, click here.

Additionally, DHS is going to integrate the Personnel Surety Program into the CSAT 2.0 Portal. This should make it much easier and provide better functionality for the user.

Chiefs of Regulatory Compliance

DHS also announced in this update that they have hired Chiefs of Regulatory Compliance (CRCs) for majority of their Regional Offices. CRCs will serve as the lead DHS representatives administering the CFATS regulation and serving as advisors to the Office of Infrastructure Protection Regional Directors.

Region CRCs:

  • Region 1 (VT, RI, ME, NH, CT, MA) – Charles Colley charles.colley@hq.dhs.gov
  • Region 2 (VI, PR, NJ, NY) – John Dean john.dean@hq.dhs.gov
  • Region 3 (DC, DE, WV, MD, VA, PA) – Don Keen donald.keen@hq.dhs.gov
  • Region 4 (MS, SC, AL, KY, FL, NC, TN, GA) – Cheryl Louck cheryl.louck@hq.dhs.gov
  • Region 5 (MN, WI, IN, MI, IL, OH) – Kathy Young kathryn.young@hq.dhs.gov
  • Region 6 (NM, OK, LA, AR, TX) – Steve Shedd steven.shedd@hq.dhs.gov
  • Region 7 (NE, KS, IA, MO) – Dave Martak david.martak@hq.dhs.gov
  • Region 8 (WY, ND, SD, MT, UT, CO) – Jim Williams james.williams@hq.dhs.gov
  • Region 9 (MP, GU, HI, NV, AZ, CA) – Marcie Stone marcie.stone@hq.dhs.gov
  • Region 10 (AK, ID, OR, WA) – Marc Glasser marc.glasser@hq.dhs.gov

Feel free to contact us if more information or support is needed.

Chemical Sector Security Summit

For the first time after 10 years, the annual Chemical Sector Security Summit will be held outside the D.C. area in Houston, Texas. The summit is scheduled to take place in July 2017.

This year’s Summit will feature vital chemical security information for 2017 and beyond, while bringing together industry owners and operators, key government officials, first responders, and law enforcement to engage in face-to-face discussions and share the latest in security best practices.

Summit registration will open in spring 2017, along with updates on the venue, agenda, and speakers.

For more information, click here.

CFATS Quarterly Update

On April 4, 2017, the Department of Homeland Security (DHS) began issuing tiering notifications to Chemical Facility Anti- Terrorism Standards (CFATS) regulated facilities based on the results of DHS’s new enhanced risk-tiering methodology.

To date, approximately 12,000 updated Top-Screens have been received from the 27,000 facilities that previously reported holdings of chemicals of interest (COI) at or above the screening threshold quantity.

DHS has sent out over 10,000 tiering determination letters to facilities that have submitted new Top-Screens. Tiering letters are being prioritized based on when DHS received the facility Top-Screen, upcoming compliance inspection schedules, and to consider workload for submitters that have a high number of covered facilities with changes.

Over the next 18 months we will continue to notify facilities of the requirement to submit new Top-Screens and issue tiering decisions on a rolling basis.

I’ve Received a Tiering Letter, Now What?

As facilities receive tiering letters, their next steps will depend on their results.

Facilities new to the CFATS program will be required to submit security plans. If a current facility receives a revised tiering assessment, it does not necessarily mean that it will be required to submit a Site Security Plan (SSP)/Alternative Security Program (ASP).

Facilities should review their tiering letter along with their approved SSP/ASP to determine whether it meets the security measures associated with all the chemicals of interest (COI), specific security issues (Theft/Diversion, Release, or Sabotage), and tiers in the letter. If not, an SSP/ASP update may be required.

Examples of situations in which a facility will need to update its SSP may include:

  • Facilities that add a newly tiered COI, which is located in a new asset area not currently addressed in the SSP/ASP;
  • Facilities that increase in tier and do not have sufficient security measures to account for the higher tier;
  • Facilities with an added security concern from a current COI that lacks sufficient security measures to account for the new security concern.

For example, if a facility possesses chlorine tiered for “theft/diversion” but now must also account for chlorine as a “release” concern, the existing SSP/ASP would need to be revised to include security measures to address risks associated with release COI.

DHS will assess facilities on a case-by-case basis to ensure security measures are appropriate to their level of risk.

2017 Port Security Grant Program (PSGP) Update 2.0 – May 2017

Port Security Grants possibly announced in two weeks.

FEMA Grant Programs Directorate provided a presentation regarding the FY2017 Port Security Grant Program (PSGP).

Summary:

  • Announcement expected May 19, 2017.
  • Grants will need to be submitted to FEMA by June 19, 2017.
  • Anticipated to be for the same amount as FY2016, $100,000,000.00.
  • Funding priorities remain the same as 2016:
    • Enhancing Maritime Domain Awareness
    • TWIC Readers
    • Cybersecurity Capabilities
    • Training and Exercises, etc.
  • Cost sharing remains the same as 2016, 25/75 split.

To read more about the PSCP, click here and here.

DHS Tiering Methodology

Today, the Infrastructure Security Compliance Division of DHS hosted a webinar on their new tiering methodology for CFATS facilities.

The presenters stated that the increases and decreases of theft/diversion and release-toxic chemicals of interest (COI) is due to improvements and implementation modeling data available to DHS. Facilities that possess Triethanolamine and MDEA, for example, will most likely be increased to Tier Two for theft/diversion chemical weapon precursor due to the implementation of the new modeling tools.

DHS began sending out letters to facilities earlier this month based on the new tiering methodology. Facilities are instructed to review their SSP/ASP to ensure that the existing security measures are sufficient for the tier level. If a facility determines that they need to resubmit their SSP/ASP, the facility has 30 days from the date of the letter to update the Security Vulnerability Assessment and Security Plan. Note: This deadline is not mentioned in the letters that our clients have received.

 During Compliance Inspections, inspectors will verify that the security measures are appropriate to address all tiers, security issues and COI.

Feel free to contact us if more information or support is needed.

DHS Reinstates Top Screen Requirements

On October 1, 2016, DHS has reinstated the requirement to submit Top Screens using CSAT 2.0.

Starting today, October 4, 2016, DHS will begin notifying facilities that they have to submit a new Top Screen. However, facilities may choose to proactively resubmit a Top Screen prior to receiving notification from DHS.

Facilities are given 60 days to submit a new Top Screen.

To read more about CSAT 2.0, click here.

CSAT 2.0 Update: Changes Coming in October

DHS has released an update to the upcoming launch of Chemical Security Assessment Tool 2.0 (CSAT 2.0). They state that in the coming months, DHS will be reaching out directly to facilities believed to maintain Chemicals of Interest (COI) at or above the threshold quantities. These facilities will be required to submit new Top Screens to DHS using the new CSAT 2.0 online tool.

What does this mean for you and your facility?

DHS suspended the requirement to submit Top Screens and Security Vulnerability Assessments (SVA) on July 20, 2016 to prepare for the launch of CSAT 2.0.

After the transition to CSAT 2.0 and the improved risk tiering methodology in October 2016, DHS will begin to individually notify “chemical facilities of interest” to resubmit a new Top Screen using CSAT 2.0. They state that chemical facilities of interest include facilities that were previously determined not to be high-risk. The letters will be issued through CSAT 2.0 to each facility’s designated CFATS Authorizer and Submitter in a phased manner over the course of several months.

DHS states that CSAT 2.0 will improve the integration between the CSAT SVA and Site Security Plan (SSP) surveys, streamlining the compliance process and reducing the burden associated with completing these surveys.

Next Steps

 DHS will replace the current CSAT surveys with the revised surveys this fall.

  • On October 1, 2016, DHS will reinstate the Top-Screen and SVA submission requirements.
  • DHS will individually notify facilities in a phased manner to resubmit their Top-Screens using the new tool.

Training on CSAT 2.0

DHS will be hosting several webinars and presentations at several cities around the country to demonstrate the new tool.

Webinars:

In-Person Demonstrations:

  • In September, DHS will post session dates, times, and locations

New Requirements for CFATS Facilities

Effective Now – New Requirements for CFATS Facilities – RBPS 12, Personnel Surety

DHS announced and distributed new requirements for Personnel Surety compliance, a clarification and instructions on CFATS Risk Based Performance Standard 12 – Personnel Surety (basically background screening as it relates to federal terrorism databases).

This requirement applies to Tier One and Two High Risk facilities. Each Tier One and Two facility will receive individual letters from DHS giving more detailed requirements and setting individual facility deadlines for compliance, including implementation and amending Security Plans. Requirements for Tier Three and Four facilities will be announced at a later date.

The new requirement relates to RBPS 12(iv) – Measures designed to identify people with terrorist ties, and focuses on Affected Individuals, defined as “facility personnel and unescorted visitors with access to restricted areas or critical assets.”  For many of our clients this means almost all employees and contractors working in their plants.

Facilities may choose one of four options to comply or may propose a combination or alternative plan for compliance.

The four options (explained in detail in the instruction) are summarized below:

  • Option 1: DHS to Vet Affected Individuals
  • Option 2: Affected Individuals Who Possess Certain Credentials
  • Option 3: Electronic Verification of TWIC
  • Option 4: Visual Verification of Credentials

The requirement (attached) is well written and reasonably easy to understand.  However the devil is, as always, in the details, and there is a lot of detail.  The overriding questions chemical companies will ask are how do we implement these screening requirements for existing employees, what action will we take if existing employees fail the federal checks, and how do we comply with limited people and resources?  These questions and the options should to be discussed between Human Resources and Corporate Security.

We are preparing templates now to help facilitate this discussion and to provide suitable amendments for Site Security Plans.

New CFATS Top Screen Regulation

Recently, we learned the following – the long-awaited new CFATS Top Screen Tool will be posted next month with regulatory activity to begin immediately.

DHS plans to publish the new Top Screen Tool requirements in the Federal Register in July.  They expect the new tool to be available in September, pending OMB approval.  ALL regulated and unregulated facilities will be impacted.

Note the following:

  • Effective immediately DHS will suspend processing incoming Top Screens and SVAs.
  • Contact DHS for an extension of any required submissions prior the release of the new Top Screen Tool.
  • If you are involved in an acquisition or divestiture, reach out to the help desk csat@dhs.gov for assistance in how to proceed.
  • During this suspension period of the current Top Screen Tool, facilities who need to “zero out” because they no longer meet the thresholds for Chemicals of Interest (COIs) should continue forward and may contact the DHS Help Desk at csat@dhs.govfor assistance.
  • Once the new tool is approved and released, DHS will notify regulated and unregulated facilities to update their information and will provide facilities with deadlines in a gradual rollout for both unregulated and regulated facilities.
  • ** Once notified, companies will have 60 days to complete entering and submitting their information.
  • Activities for gasoline only facilities remain on hold.
  • And, during this interim period, inspections will continue.