What to Expect from a CFATS Compliance Inspection

For some time, the DHS Infrastructure Security Compliance Division (ISCD) has conducted Authorization Inspections of Tiered CFATS facilities.  Recently, they began conducting actual Compliance Inspections of CFATS regulated facilities. The purpose of the Compliance Inspection is to verify and validate that the regulated facility is in compliance with its approved Site Security Plan (SSP) or Alternative Security Program (ASP).

Typically, DHS will not conduct a Compliance Inspection until all the completion dates for the facility’s Planned Security Measures have passed. However, it is possible they may schedule the inspection prior to the completion dates stated in the SSP/ASP.  Facilities should be prepared to give the inspectors an update on the status of all Planned Security Measures.  They may have to demonstrate that they will be able to meet the timelines stated in the approved security plan.

What to Expect During the Inspection

The inspectors will an in-brief at the beginning of the CI. This briefing will include confirmation of CVI status for personnel participating in the the CI, an overview of the purpose and intent of the inspection, what should be expected from DHS, what DHS expects from the facility, and a tentative plan on the inspection. Facilities should be prepared to present a basic overview of facility operations and brief description of the COIs and how they are used at the facility.

During the inspection process:

  • Inspectors will review the Existing Security Measures to confirm they are implemented;
  • Inspectors will want to know the status on all Planned Security Measures and will verify that they have been implemented;
  • The facility will need to demonstrate they have implemented the procedures, policies and processes listed as Planned Measures in the Security Plan;
  • They should have background check records available for all personnel that have access to the COIs or assets;
  • They should have all required Records listed in RBPS 18 available for review, including:
    • Drills and Exercise Records,
    • Security Equipment Maintenance Records,
    • Training Records,
  • Inspectors will want to tour the facility to inspect the Physical Security features of the facility.

After the Compliance Inspection

Even though the actions the inspector(s) will take during and after the CI are very similar to that of the AI, it’s important to note, the CI process is different from the AI:

  • The CI may lead to an enforcement action if the facility does not sufficiently implement the security measures as outlined in the approved security plan.
  • Under normal circumstances, facilities will not need to edit their security plan following the CI. Edits are only necessary for significant changes in the security posture. Minor changes will be reflected in the inspection report or supplemental information provided by the facility.
  • If a facility remains in compliance, DHS will issue the facility a “Post-Compliance Inspection Status” letter, notifying the facility of their continued compliance.

The inspectors are allowed to give the facility 30 days to solve any deficiencies or non-compliance issues that are discovered during the CI. Although, they will not provide a written leave-behind for the facility.  So take good notes. The facility should expect a Post Inspection Status Letter from DHS stating if the facility is in compliance with the Security Plan and CFATS. The letter will also detail any findings or deficiencies found during the inspection that where not solved in the allotted 30-day extension.