Category Archives: USCG

2017 Port Security Grant Program (PSGP) Update 2.0 – May 2017

Port Security Grants possibly announced in two weeks.

FEMA Grant Programs Directorate provided a presentation regarding the FY2017 Port Security Grant Program (PSGP).

Summary:

  • Announcement expected May 19, 2017.
  • Grants will need to be submitted to FEMA by June 19, 2017.
  • Anticipated to be for the same amount as FY2016, $100,000,000.00.
  • Funding priorities remain the same as 2016:
    • Enhancing Maritime Domain Awareness
    • TWIC Readers
    • Cybersecurity Capabilities
    • Training and Exercises, etc.
  • Cost sharing remains the same as 2016, 25/75 split.

To read more about the PSCP, click here and here.

TWIC Reader Clarification

Recently the Coast Guard shared a blog post to clarify the TWIC Reader Requirements Final Rule regarding CDC facilities.

The rule applies to facilities that are considered a Certain Dangerous Cargo (CDC) facility. These facilities are designated as Risk Group A facilities and will be expected to comply with the TWIC reader rule requirements effective August 23, 2018.

The blog post clarifies what a CDC facility is. According to PAC Decision 20-04 Certain Dangerous Cargo Facilities, in “order for a facility to be classified as a CDC facility, a vessel-to-facility interface must occur, or be capable of occurring, and involve the transfer of CDC’s in bulk”.

Blog can be read here and PAC 20-04 can be found here. To read more about the TWIC Reader Requirements Final Rule, click here.

2017 Port Security Grant Program (PSGP) Update

Last year the 2016 PSGP Notice of Funding Opportunity (NOFO) was released mid-February and applications had to be submitted by late April. It looks like this year, we will have to wait until late April or early May before the NOFO is released.

DHS/FEMA has an approved budget of $93 million for the 2017 PSGP, but are currently operating under a Continuing Resolution. The 2017 PSGP documents have been prepared and some are posted in draft. However, the actual launch of the program until the federal budget is approved. Again, this is expected in April.

This delay should not keep applicants from making sure their registrations are up to date and making sure they have a plan in place. This gives applicants more time to prepare their Investment Justifications (IJs) and ensure that their project budgets are ready to go when the NOFO is released.

To read more about preparing for the 2017 PSGP, click here.

USCG Issues Policy Regarding Reporting Suspicious Activity and Breaches of Security

This is CG-5P Policy Letter 08_16.   It discusses requirements and guidelines as summarized below for MTSA regulated ports.  The regulatory standing is quoted as 33 CFR 46, 70103.  It is dated December 14 and was distributed on January 16.  This renewed focus includes reporting requirements for cyberattacks and Unmanned Aircraft Systems activity.

The stated purpose of the letter is to “Promulgate policy for use by Maritime Transportation Security Act (MTSA) regulated vessels and facilities outlining the criteria and process for suspicious activity (SA) and breach of security (BoS) reporting”.

It states, “An owner or operator of a vessel or facility that is required to maintain an approved security plan . . . (a) shall, without delay, report activities that may result in a Transportation Security Incident (TSI) to the National Response Center (NRC), including SA or a BoS. And, (b), the Facility Security Plan (FSP) shall . . . be consistent with the requirements of the National Transportation Security Plan and Area Maritime Transportation Security Plans.”

“The COTP will affirm consistency to help ensure alignment of SA and BoS communication procedures within FSPs throughout their area of responsibility.” 

Regarding cyber activity the letter states, The target and intent of malicious cyber activity can be difficult to discern. The fact that business and administrative systems may be connected to operational, industrial control and security systems further complicates this matter. The Coast Guard strongly encourages vessel and facility operators to minimize, monitor, and wherever possible, eliminate any such connections.

The letter goes on to describe U. S. Coast Guard requirements for reporting BoS and SA for both physical and network or computer-related events.  The U.S. Coast Guard regulations define a breach of security as “an incident that has not resulted in a TSI but in which security measures have been circumvented, eluded, or violated.” This definition includes the breach of telecommunications equipment, computer, and networked system security measures where those systems conduct or support functions described in vessel or facility security plans or where successful defeat or exploitation of the systems could result or contribute to a TSI.

BoS incidents may include, but are not limited to, any of the following:

  •  Unauthorized access to regulated areas;
  • Unauthorized circumvention of security measures;
  • Acts of piracy and/or armed robbery against ships;
  • Intrusion into telecommunications equipment, computer, and networked systems linked to security plan functions (e.g., access control, cargo control, monitoring), unauthorized root or administrator access to security and industrial control systems, successful phishing attempts or malicious insider activity that could allow outside entities access to internal IT systems that are linked to the MTS;
  • Instances of viruses, Trojan Horses, worms, zombies or other malicious software that have a widespread impact or adversely affect one or more on-site mission critical servers that are linked to security plan functions; and/or
  • Any denial of service attacks that Any denial of service attacks that adversely affect or degrade access to critical services that are linked to security plan functions.

 The letter contains lists of Suspicious Activities and Breaches of Security that should be reported and concludes with a Glossary of Terms.

Click here  for the complete document.

Get Ready Now for 2017 Port Security Grants

It is not too soon to start the registration processes.

The Administration has budgeted $93 million for port security grant awards in 2017.
It is not too soon to begin the application process. Typically, the schedule goes like this:

  • Mid-February the Grant Program is announced, Instructions are posted, and the application period begins. The 2016 application period began on February 17.
  • Late April – the application period closes. In 2016 the application deadline was April 25th.

However, before a facility can upload a grant application they must:

  • Obtain and/or verify the DUNS number for the specific facility and business unit involved. Your legal or tax department may be able to help with this.
  • Register in the government’s System for Award Management (SAM.gov).  FEMA states, “It may take 4 weeks or more after the submission of a SAM registration before the registration becomes active in SAM.gov, then an additional 24 hours for Grants.gov to recognize the information.”
  • Once the SAM’s registration is complete, register and set up an account in a second government web-portal, Grants.gov.  Receive an account log in and password.
  • Once the Grants.gov registration is complete and approved, use that account to set up a third registration in a third government web portal, NDGrants.gov (the site to specifically upload “non-disaster” grants.  All application documentation will be uploaded through NDGrants.gov.  This is also the portal wherein the FEMA officials will communicate with the applicant.

Is it worth doing? Absolutely YES!

Don Greenwood & Associates Inc. has an excellent track record in applying for and winning grants for our clients. In 2016, we developed and submitted several grant applications for a total of $3 million in awards.

Of special interest to DHS in 2016 were applications that included funds for cyber security protections, as well as the fundamentals – access control, gates, TWIC readers, etc.

Let’s get started. Before we can develop an application we need to discuss your facility, what is needed, and whether or not your needs meet the grant priorities. Successful grant writing is more an art than a science. Give us a call at 832-717-4404 or email don@greenwoodsecurity.com.

Final Rule – Transportation Worker Identification Credential (TWIC) Reader Requirements

Yesterday, the Department of Homeland Security and the U.S. Coast Guard published the Final Rule for TWIC Reader inspection requirements. This amendment to the Maritime Transportation Security Act requires owners and operators of certain regulated vessels and facilities to conduct electronic inspections of TWICs as an access control measure.

The finale rule is effective August 23, 2018, and facilities have up to two years to be in compliance.

This final rule only affects vessels with more than 20 crew members (only 1 regulated vessel is identified at this time) and about 525 facilities that are in “Risk Group A”.

Risk Group A includes:

Vessels that carry or tow a vessel carrying Certain Dangerous Cargoes (CDC) in bulk.

  • Vessels certified to carry more than 1,000 passengers.
  • Facilities that handle CDCs in bulk or receive vessels carrying CDC in bulk.
  • Facilities that receive vessels certified to carry more that 1,000 passengers also are in Risk Group A.
  • As of now, no Outer Continental Shelf (OCS) facility is considered Risk Group A.

This final rule clarifies that for Risk Group A facilities, electronic TWIC inspection is required each time a person is granted unescorted access to a secure area (a limited exception is permitted for Recurring Unescorted Access, or RUA). For Risk Group A vessels, electronic TWIC inspection is only required when boarding the vessel, even if only parts of the vessel are considered “secure areas”.

The regulation states that each person who has been issued or possesses a TWIC must have their TWIC verified through an electronic inspection. They must also submit their biometric and Personal Identification Number (PIN) when requested from the TSA, USCG, DHS, or Federal, State, or local law enforcement.

Facilities and vessels will need to update their Facility Security Plans to meet this ruling.

TSA List of Cancelled TWICs

At MARSEC Level 1, facilities and vessels will have to ensure that the TWIC verification is conducted using information from TSA that is no more than 7 days old. At MARSEC Levels 2 and 3, the information from TSA must be no more than 1-day old. If the MARSEC increases, the TSA information must be updated within 12 hours, no matter when the information was last updated.

We will continue to review the final rule and provide more detailed summaries in future posts.

The Security Guard Audit

A few weeks ago, USCG officers arrived at a regulated facility, and observed the main gate security officer not inspecting and validating TWIC cards, and not conducting vehicle inspections as required in the Facility Security Plan. For a moment, the USCG considered shutting down the facility. Recently the USCG also released a list on common MTSA Facility Violations.

We are often retained to conduct brief audits and training moments with entry guards. It works like this: one of us arrives at the entry point and observes security checking in and admitting people to the facility. Then we check in ourselves and spend a few moments with security management to relay our findings. Within moments, we return to the security post, explain that we just conducted an audit and spend a few moments renewing their training. These moments are powerful training tools that will not soon be forgotten. Ken Blanchard, the author of The One Minute Manager, said that supervisors should make every encounter with their staff a learning moment:

  • Catch them doing something wrong, quickly reprimand and then take a moment to retrain.
  • Catch them doing something right, quickly praise and let them know what they did so well.
  • Or, just stop by for a one minute reminder on a procedure or conduct that is important.

Penetration audits can give some indication of how well personnel are performing, but the real value comes from the training that results.

The Penetration Audit – A Powerful Training Tool

Picture a large manufacturing facility with a robust security infrastructure: access controlled gates and entry doors, security guards on post and roving, monitoring with CCTV cameras, and perimeter intrusion alarms. Here all employees have participated in security awareness briefings. Management decided to test their employee’s response to intrusion by conducting a Penetration Audit, and the results were disappointing. On the flip side however, the after action review with the employees was in itself a powerful training tool.

A consultant was hired who during the daytime climbed over the fence wearing street cloths and carrying a backpack and a clipboard. He wandered through various buildings and processing areas. As he walked he encountered more than a dozen employees. Many greeted him with a nod. Two employees stopped him and said that fire resistant attire (FRC) was required. The consultant said his FRC gear and hardhat were in the backpack and he would go change into them. One employee showed him the location of a change room for that purpose but did not stay with him.

No one asked what he was doing, who he was, and no one reported him to Security. The positive benefit came when management met with employees for an after-action review. One can bet that in the future strangers on site in this facility will be challenged and reported to security. One can also ask how different the outcome of the audit would have been if it were pre-announced.

Years ago, the security department at Apple hired a smart PI to test security. His mission was to get into the many facilities without screening by the lobby security guards, then leave out the same lobby obviously carrying a large box. On his first audit run nine of ten security officers failed to stop him. He was a glib talker wearing a suit and his demeanor intimidated most of the guards. Again, no one reported him to security management. As a Security Manager, I always preferred to pre-announce penetration audits and did so for the second run of the audit in a different set of buildings. This time, the auditor found the guard force tuned up and 90% of the guards did the job right, stopping the man, asking for ID, and escorting him out of the building.

The results of penetration audits can be surprising to management whether pass or fail. The value of these exercises as training moments that become imbedded in their long-term conduct is significant; either way – surprise audits or pre-announced penetration tests.

USCG Inspections and FSO Readiness

A few weeks ago, USCG officers arrived at a regulated facility, and observed the main gate security officer not inspecting and validating TWIC cards, and not conducting vehicle inspections as required in the Facility Security Plan. For a moment, the USCG considered shutting down the facility. Recently the USCG also released a list on common MTSA Facility Violations.

The Facility Security Officer (FSO) should expect the USCG to conduct at least two inspections per year. Typically, one inspection will be scheduled with the facility and the other will be an unannounced inspection. These unannounced inspections typically occur at night. The FSO must ensure that their facility, FSP, and records are prepared for the USCG inspections.

Prior to the inspection, the FSO should review the FSP and confirm that all information is up to date and correct. The FSO should also verify that all pertinent documents and records are in order and have the required Sensitive Security Information (SSI) labeling. The FSO will need to ensure that all drills, exercises, audits, security equipment tests, etc. have been properly conducted and recorded.

The FSO will also want to ensure that facility personnel, including security guards, have been properly trained according to the regulation and are prepared to answer questions if asked by USCG officers.

Most deficiencies are typically discovered during the required Annual Audit of the FSP. The MTSA regulation requires facilities to conduct an annual audit and that the person(s) conducting the audit are independent of any security measures being implemented at the facility.

Don Greenwood & Associates, Inc. has provided security assessments, plans and training for hundreds of Facility Security Officers and security-related personnel as mandated in the Maritime Transportation Security Act (MTSA). We also have a full set of compliance tools including training PowerPoints, Assessment Templates, and have produced employee training videos for several petrochemical companies.

Common MTSA Facility Violations

Recently the Coast Guard listed the most common MTSA Facility Violations.  This is a good list to ensure your program is ready for their next inspection.  This is also a good list to pass on to the guard force:

Typical deficiencies areas:

  • Access Control
  • Restricted Areas
  • Drills and Exercises
  • Owner/Operator Requirements
  • Audits and VSP/FSP Amendments

Most common deficiencies noted on inspection are:

Failure to secure access points:

  • Gates left open or unattended.
  • Facilities failing to provide an escort for persons without TWIC.

Failure to check identification:

  • Individuals gaining access to facilities by piggy backing.
  • Security personnel failing to properly screen vehicles and personnel entering the facility.

Damage to perimeter fencing:

  • Holes found in perimeter fence.
  • Vegetation growing over fence line, allowing unauthorized access to occur.
  • Emergency egress gates not secure.

Missing signage:

  • Missing or improperly placed Secure Area and Restricted Area signage.

Misunderstanding or not knowing the security procedures as stated in the approved FSP:

  • Facility personnel or contract guard services failing to conduct screening at the rate specified in their FSP.
  • Facility personnel or contract guard services not properly trained on relevant provisions of the FSP.

Restricted Areas not properly marked.

  • Areas where FSP is stored (offices, file cabinets, etc.) not containing proper signage designating the area as a Restricted Area.
  • Facilities missing “Restricted Area” signage, for example:
    • Facility perimeter
    • Server rooms
    • Control centers

Not storing required documentation within a Restricted Area:

  • Sensitive Security Information (SSI) not kept in an area designated as a Restricted Area.

Drills and Exercises:

  • Failing to perform security drills in 3 month intervals.
  • Failing to perform an annual security exercise.
  • Failing to label drill and exercise documentation as SSI and store properly.
  • Failure to maintain drill and exercise records.

Improper notifications to USCG:

  • Breaches of security not immediately reported to USCG or National Response Center.
  • FSPs not being submitted for renewal prior to the expiration date.
  • FSPs containing unapproved changes and amendments.

Training:

  • Facility owners or operators failing to notify facility employees of what parts of the facility are secure areas and public access areas and ensuring such areas are clearly marked.
  • Facilities failing to train personnel with security duties; including facility personnel, contract security guard service, and/or TWIC escort companies on relevant provisions of the FSP.

Proper FSP Updating:

  • Owner/Operator failing to ensure annual audits of the FSP are conducted by persons with requisite knowledge as required by the regulation.
  • Current list of FSOs not updated in the FSP.
  • Owner/Operator section of FSP missing TWIC requirements.
  • Failing to designate a FSO and failing to designate a 24hr contact number for FSO.

Proper Implementation of FSP:

  • Owner/Operator failing to ensure that the facility operates in accordance with the approved FSP.
  • Facilities failing to follow incident procedures outlined in approved FSP.
  • Facilities failing to provide security personnel with the ability to monitor video surveillance systems per approved FSP.

Failure to conduct annual audits:

  • Facilities failing to conduct an annual audit of the FSP.
  • Failing to provide certifying documentation of annual audit.
  • Failing to follow audit requirements in accordance with the regulation.
  • Facilities failing to review the FSP and submit changes to the USCG for approval.
  • Failing to update the FSA each time the FSP is submitted for revisions.

Remember, an FSP is not a “binder on the shelf”, but a security operating plan that must be fully implemented and followed in every day operations.