CFATS Progress Report
TO ENHANCE SECURITY at thousands of facilities that manufacture, use, or store certain chemicals across the United States, Congress included chemical security requirements as part of the Homeland Security Appropriations Act of 2007. The U.S. Department of Homeland Security (DHS) was charged with the development of regulations, known as the Chemical Facility Anti-Terrorism Standards (CFATS). As with any complex law, it has taken years to put a framework in place—and there have been many missteps along the way. During that time, there has been much back and forth with industry as well as uncertainty with the program itself. Despite that, DHS has pushed ahead, and its compliance activity is in high gear for 2013, meaning that affected facilities must also have their compliance programs in high gear.
The law directs DHS to take a risk-based approach. Since the law’s enactment, DHS, through its Infrastructure Security Compliance Division (ISCD), has been assessing and categorizing facilities into risk tiers. Those deemed high-risk have had to submit a Site Security Plan (SSP).
The SSP is the heart of CFATS. It explains how the facility will meet Risk-Based Performance Standards (RBPSs).
Because the law authorizing CFATS directed ISCD to develop a performance-standard driven regulation, CFATS defines only the actual security outcome—for example, the requirement to “deter, detect, and delay.” The precise technology, methods, or hardware chosen is a facility-specific decision, but DHS gets to rule on that decision.
Performance standards give security planners the flexibility to select layered protective measures based on a facility’s unique considerations. Before a facility can be sure that it is on the right track, however, ISCD must approve or deny the plan. Critics have not been happy with this process.
These issues came to the fore in 2011 when a national news organization obtained a leaked copy of an internal report titled, Challenges Facing ISCD, and the Path Forward. Congress held hearings.
Many of the concerns raised by Congress had been raised by CFATS-regulated facilities for years, including queries as to why ISCD had failed to fully approve a single SSP after spending nearly $500 million in taxpayer dollars since the inception of the program in 2007 (though some plans had received first-round conditional approval).
During the Fall of 2012, facilities began to experience the effects of internal steps that ISCD leadership had taken to respond to the criticism.
ISCD gave final approval to an SSP for the first time in September 2012, and others have followed, indicating clear progress on this front. ISCD had approved 52 SSPs as of March 21.
Of course, plan approval is only the beginning. These facilities must ensure ongoing compliance with all aspects of their security plan and conduct a yearly audit.
All facilities can learn lessons from the facilities that have made it through the final approval phase. The following sections examine some of those lessons.
Whether a facility must submit a security plan depends on many factors, beginning with the specific chemicals, and their quantities, that a facility possesses. These Chemicals of Interest (COIs) are established by Appendix A to the CFATS regulation, and fall into three broad categories or Security Issues: Release, Theft/Diversion, and Sabotage/Contamination.
The list of more than 300 COIs includes exotic chemicals that have few (if any) legitimate commercial uses, such as sarin and lewisite, as well as chemical building blocks such as chlorine. Each COI has an associated Screening Threshold Quantity (STQ), which serves as a potential high-risk trigger. Facilities that possess a COI above its STQ must self-report to ISCD using an online software suite called the Chemical Security Assessment Tool (CSAT).
The initial reporting, known as a Top-Screen, begins the process by which ISCD decides whether the facility is to be recognized as high-risk and if so, which of four risk tiers (Tier 1–Tier 4) it should be assigned (with Tier 1 facilities representing the highest degree of security risk in relative terms). Each high-risk facility must subsequently complete a Security Vulnerability Assessment (SVA).
The SVA is intended to provide a more comprehensive view of the facility’s risk-profile, which will enable ISCD to confirm or alter the facility’s initial risk tier. Facilities that remain high-risk following ISCD’s review of the SVA must submit a security plan. More than 3,000 facilities have submitted security plans using the SSP application of the CSAT portal.
Most SSPs developed under the CFATS program are the result of facilities’ possession of Theft/Diversion COI(s). ISCD’s focus on these Theft/Diversion COIs (as opposed to Release COIs) has enabled many facilities to take a more streamlined, “asset-based” approach to CFATS compliance and apply specific protective measures only at the location where the Theft/Diversion COI is physically used, stored, or processed.
Rather than applying Tier 1 or Tier 2 level security measures across the facility’s entire perimeter, for example, a facility with a Tier 1 or Tier 2 regulated Theft/Diversion COI could enhance security only where that COI is actually used. This could be as simple as constructing a cage or other enclosure to further isolate the COI, which may be as small as a cylinder of toxic gas or drum containing a common oxidizer, and applying access control measures or practices. The facility’s overall perimeter and access control measures, as required by RBPS 1 (Restrict Area Perimeter) and RBPS 3 (Screen and Control Access) respectively, may require little, if any, security beyond what the facility already had in place.
The asset-based approach has been applied with increasing frequency to facilities of all types and sizes, including those situated on hundreds of acres (such as a chemical production site) or those situated within a single building (such as a semiconductor wafer fabrication plant). The asset approach has saved hundreds of thousands, or even millions, of dollars in up-front and continuing compliance costs and provides other CFATS benefits beyond physical security, such as limiting the number of people affected by the background-check requirements.
SSP Process Problems
While it’s good that ISCD has started approving SSPs, there’s a deeper problem with CFATS implementation, which is that completing the SSP in the CSAT portal is more a compliance obligation than a useful security step. The reason is that all facilities must answer the more than 1,000 “one size fits all” questions in the portal as a way of developing the SSP. The result is a lot of disconnected answers that can stretch into the hundreds of pages with no value as a resource for improving or managing security. Despite numerous objections from the regulated community, the CSAT SSP process has not changed since its inception in 2009, and facilities continue to struggle with it.
Alternative. It is for these reasons that some security managers have taken advantage of provisions in CFATS that allow for Alternative Security Programs (ASPs). ASPs are appealing because they can more effectively function as a security roadmap that identifies the actions, requirements, and mechanisms by which a facility complies with each RBPS on a day-to-day basis.
The CFATS regulation allows any facility, regardless of tier, to submit an ASP in lieu of an SSP using a file upload feature of the CSAT portal. It is then ISCD’s responsibility to determine whether the ASP establishes an “equivalent level of security” relative to an SSP for each RBPS and considering the applicable COIs and Security Issues (i.e., Release, Theft/Diversion, and/or Sabotage/Contamination) identified on the facility’s final tier-notification letter.
As noted, there is no specific format for an ASP, which is both its strength and its weakness. Various approaches have been submitted for ISCD consideration, but the ASP concept presents a challenge. From ISCD’s perspective, it must evaluate each ASP outside of the standard and repeatable “scoring” or review mechanism used for SSPs. This has the potential to create delays because it may be difficult for ISCD to evaluate a facility’s ASP to ensure an “equivalent level of security” relative to an SSP as required by law.
From a facility perspective, the amount of information, level of detail, and most suitable format to use in developing an ASP is only now becoming a bit clearer. For example, if the intent is for the ASP to both satisfy a compliance obligation and serve as a facility’s functional security plan, then there remains the challenge of how to reconcile CFATS and RBPS expectations in the realm of practical implementation. In other words, if the ASP includes too much detail because it must address all applicable RBPSs, then the ASP could become so lengthy that it loses functional value; on the other hand, if the ASP is not sufficiently detailed, then it might not satisfy ISCD’s requirements.
For reasons such as this, some security managers are waiting on the sidelines until there is a history of ASP approvals.
Whether a facility chooses to pursue authorization under CFATS via an SSP or ASP, ISCD must perform a facility inspection through its Authorization Inspection (AI) process. ISCD will only initiate an AI after the security plan has received a Letter of Authorization, which indicates preliminary security plan approval. Then, only after successful completion of the AI will a facility receive its Letter of Approval. At that point, the facility becomes obligated to follow its plan.
The purpose of the AI is to validate the preliminarily approved security plan in two main respects: The first is to ensure that the security plan accurately represents the facility’s protective posture. In this regard, the inspectors must validate that the information provided in the security plan reflects the realities on the ground.
For example, if a security plan indicates that the facility is protected by a waterway as a natural boundary, precluding the need for a man-made physical barrier at the perimeter, then the ISCD inspector must verify that it is a waterway of sufficient size to provide meaningful perimeter protection.
The second purpose of the AI is to confirm the implementation of any “Planned Security Measures” that have been claimed in an SSP or ASP. The AI must validate that they have been or will be implemented. Validation can be accomplished in a number of ways, including through supporting documentation, such as a purchase order or design drawings in the case of security technology, or an outline in the case of a forthcoming policy or procedure.
When AIs started in mid-2010, ISCD went at a very slow pace, but it has picked up significantly since the summer of 2012. ISCD has completed more than 151 AIs of Tier 1 (highest risk) and Tier 2 sites and has indicated its intent to start AIs at Tier 3 sites later in 2013.
The AI process will continue to evolve, but commonalities will remain. Let’s look at these in terms of three aspects: the format, the amount and specificity of inspector feedback, and the outcome.
Format. Once a facility receives a Letter of Authorization (which is communicated to the facility via the CSAT portal), the lead ISCD inspector will contact the facility to identify potential inspection dates and provide basic information regarding the inspection process. ISCD makes every effort to accommodate a facility’s preference for inspection dates, but facilities will find less flexibility to change or extend inspection dates once assigned.
While the number of inspectors participating at the AI can vary, it has ranged from three to eight. The inspectors typically divide into teams, with each team reviewing a specific group or category of RBPSs.
Typically, the AI is scheduled for three to five days. On day one, the inspection usually begins with a short introduction by the inspectors, the exchange of Chemical-Terrorism Vulnerability Information (CVI) Authorized User Numbers among inspection participants (this has to do with protecting the privacy of the information being shared), and a high-level facility tour. In many cases, the facility also provides a short overview of its operations and overall security philosophy or approach to CFATS compliance (such as why the facility may have elected to employ an asset-based approach) or a review of some of the security enhancements (either technology-based or process-based) that may have been implemented since the original security plan was submitted.
Preparation. Inspectors have acknowledged certain preparations that can make their job—and, correspondingly, the overall inspection and facility’s experience—easier. One is to provide inspectors with facility maps that they can use to reference various facility features and characteristics, such as the location of COIs or security equipment. A second is to provide documentation to support statements made in the security plan. A third is to facilitate interviews of personnel who have a role in the overall protection of the facility or stewardship of the COIs but who are not necessarily “security personnel” in the traditional sense (such as a person who is responsible for managing a loading dock where COIs are shipped, received, stored, or temporarily staged, or a representative from the human resources department who manages the facility’s background check program for new hires).
Inspector feedback. The few facilities that underwent some of the first AIs in 2010 and 2011 did not receive much feedback from the inspectors who were not at liberty to provide much commentary. At the time, there was some concern within DHS, and even within the industry, that substantive commentary on the part of the inspectors might be interpreted as prescriptive and contrary to the spirit of the mandate that measures be performance-based. This made for a one-directional inspection process in which the facility provided all the required information to ISCD but received little feedback.
Today, however, the thinking has evolved and inspectors are more likely to engage facility representatives in dialogue regarding a particular security measure, topic, or compliance strategy. Recognizing that facility management must ultimately decide what to include (and not include) in its security plan, inspectors usually refer to their statements as “observations for consideration.”
Outcomes. The facility does not receive a copy of its AI report, but the inspectors do provide a formal outbrief on the last day of the inspection. Inspectors do not make security plan approval or denial decisions. Such decisions are made at the headquarters level, but those decisions are, of course, informed by and contingent upon the report prepared by the inspectors.
With few exceptions, and following the conclusion of the AI, the facility must update its security plan within a designated time frame. The update, like the original, will be carried out via the CSAT portal.
It’s instructive to know the reasons DHS cites for requiring the plan updates. Chief among them is the need for the facility to provide more clarifying and descriptive information in the security plan. For example, a facility may indicate that it has a fence in response to a corresponding question in the CSAT portal, but ISCD wants to know more. For example, it might be appropriate to say that “the fence covers 100 percent of the site operating boundary, is 6 feet high with a top-rail, and has 3 strands of barbed wire on a 45 degree outrigger facing away from the facility.”
Other clarifying information might be to explain what security benefits are derived from various policies, procedures, and measures that can enhance protection but that are not security equipment or measures in the traditional sense. For example, the facility may have a comprehensive inventory management system that includes regular validation of inbound and outbound shipments of COI. ISCD wants the facility to include such measures in the appropriate sections of RBPSs.
The more detailed these descriptions become, however, the more a facility may need to worry about keeping them current. As these processes change over time, how and to what extent ISCD will want a facility to update its security plan accordingly is largely unknown.
The facility will also want to update its plan as its overall approach toward CFATS compliance evolves. For example, the facility may want to adjust its CFATS compliance strategy, moving from a facility-wide to an asset-based approach as mentioned earlier. As both ISCD and facilities get comfortable with CFATS and specific expectations of the amount or level of security required at each tier level, a facility may also want to update the security plan to help ensure that it neither over complies nor under complies.
ISCD knows that preliminarily approved security plans are probably not adequate and will require more work. In this regard, the AI acts like the now defunct “Pre-Authorization Inspections” (PAIs) that occurred in 2010 and part of 2011; the purpose of a PAI was for ISCD to visit the regulated facility and identify enhancements to its security plan so that the facility could resubmit it via the CSAT portal for further review, and that’s basically the case now with the AI.
Regardless of how it is achieved, the ultimate goal of ISCD is to issue Letters of Approval and begin a regular and repeatable process of inspection and enforcement.
For a regulated facility, management of ongoing compliance is likely the most significant but least understood aspect of CFATS. And some aspects of the rules are still little understood and untested. For example, facilities must “identify people with terrorist ties” per one element of the RBPSs, but how that is to be done remains a point of contention between the regulated community and ISCD.
On March 22, ISCD made public its most recent thinking on this topic, and it is again soliciting feedback. What constitutes a “material modification,” thereby requiring a new Top-Screen, has also not been formally defined, even though it affects facilities of all types and sizes, including those that only possess a COI for short periods of time, those impacted by seasonal inventory shifts, or those that may temporarily stage a single railcar containing a COI. Closely related to the issue of “material modifications” is the issue of risk tiering, and there is an effort underway to review the underlying tiering methodologies.
Against this backdrop, ISCD recognizes a need to update the CSAT portal to make it more functional and user friendly. That process began in early 2013 with a series of CSAT workshops for industry.
ISCD also recognizes a need to review and revise the Appendix A list of COIs that has not changed in nearly six years. It is now all but certain that ISCD will, at some point, remove some COIs from the list; it may add others as well, and otherwise modify the STQs that require Top-Screen filing in the first place.
There is also some indication that ISCD may even add an entirely new category of COIs that are “critical to government mission and national economy.” As a result, some facilities that reduced or modified COI inventories to reduce their CFATS exposure may find themselves brought back under the regulations. Those that have been covered will have to remain ready to adjust to changes that could impact their security plan requirements down the road. As is often the case with security and regulations, the only certainty is that requirements will continue to change, and companies must be ready to adapt.
Steve Roberts is a consultant based in Houston. He has been assisting facilities in the CFATS program since its inception. He may be contacted at [email protected]oup.com.