Lessons Learned through the CFATS Security Vulnerability Assessment (SVA) and Site Security Plan (SSP) Process
Posted: October 16th, 2017Authors: Kristin G.
In 2016, the Department of Homeland Security (DHS) introduced CSAT 2.0 that contained enhanced risk tiering methodology to better identify and address “high risk” chemical facilities based on information submitted by these same facilities on Chemicals of Interest (COIs) via Top-Screen surveys. Top-Screen surveys and subsequent actions are required by the Chemical Facility Anti-Terrorism Standards (CFATS) program, are authorized under the Homeland Security Act, and are codified under 6 CFR Part 27. DHS has reviewed the Top-Screen survey results and has been notifying facilities of their risk classification via letter: high risk (Tier 1 through Tier 4) or low risk.
If a facility receives a high-risk classification, facilities are then required to perform a Security Vulnerability Assessment (SVA) and develop a Site Security Plan (SSP) within 120 calendar days of receiving their high-risk classification for newly tiered facilities. ALL4 has been working with high-risk facilities to perform the SVAs and to develop SSPs in support of the CFATS program and we wanted to share our experiences to date.
It should be noted that if a facility comes in possession of an additional listed COI at or above the screening threshold quantity (STQ) or makes a material modification after submitting the Top-Screen, the facility must complete and submit an updated Top-Screen to DHS within 60 calendar days.
Let’s start with the natural first question – “I received my Tier classification letter from DHS, what do I do now?” There is no single way to go through this process as much of it depends on the facility, the COI and critical asset, and the organizational structure of the regulated entity. A couple of tips to make the process efficient, cost-effective, and beneficial:
- Determine who the appropriate parties are to be involved. Determine who may need to contribute to the process as security, safety, IT, environmental, Risk Management Program (RMP)/Process Safety Management (PSM) leads, the Fire Chief, the Process Control lead, and operations personnel may be involved. Also, define who is the person in charge – it may not be clear who the person leading the process should be, so figure it out up-front. Lastly, engage with your DHS contact right away as their involvement will be helpful.
- Determine a process for performing the SVA and developing the SSP. An approach that has worked for ALL4 has been to be on-site (approximately 2-days) and to follow the outline below:
- Conduct an introductory meeting with the appropriate parties to introduce the rule, the facility Tier classification, the COI, the critical asset, and to present how the SVA/SSP process will proceed.
- Tour the facility and critical asset area to understand what security systems, procedures, and measures are currently in place – review the security from a facility-wide perspective and an asset-specific perspective, recognize what systems are already in place, how access is (or isn’t) restricted, monitored, reacted to, etc.
- Utilize the DHS resources, including the Chemical Security Assessment Tool (CSAT) 2.0 Security Vulnerability Assessment (SVA)/Site Security Plan (SSP) Instructions and the Risk-based Performance Standards (RBPS) Guidance, to guide your interview of key parties. The goal is to understand the processes and systems currently in place to reduce vulnerability and to identify any areas that may require changes/investments (i.e., planned measures) to reduce vulnerabilities at the facility boundary and the critical asset area.
- Review the SVA and compile notes that will facilitate the completion of the electronic SVA using the information gleaned from the first few steps in this process. Use the time to identify any missing components or processes/procedures not previously documented.
- Determine if the facility will be completing the SSP or opting to submit an Alternative Security Program (ASP), pursuant to 6 CFR § 27.235, following DHS guidance and meeting the requirements of 6 CFR § 27.225 and satisfying all applicable RBPS per 6 CFR § 27.230.
- Follow-up with facility personnel on anything that was not clear or is determined to be incomplete, re-visit the critical asset, and document asset-specific measures so that the SVA and SSP (or ASP) can be completed off-site.
- Develop draft SVA and SSP (or ASP) for review by key appropriate parties.
- Finalize SVA and SSP (or ASP) for submittal to DHS.
- Know what to expect next. After submitting your SVA/SSP (or ASP) via the CSAT Portal, DHS analysts in Washington D.C. will review these plans and there may be some communication to clarify plan information or answer questions that could arise. Ultimately, the facility should expect to receive a Letter of Authorization. Upon receipt of the Letter of Authorization, DHS will schedule an Authorization Inspection in order to make a final determination and issue a Letter of Approval. In the event that the SVA/SSP does not appear to satisfy the applicable RBPS, DHS will contact the facility to discuss appropriate steps to remedy the possible deficiencies and may issue a Letter of Authorization. This review process is currently averaging approximately 200-280 days.
If the facility fails to submit an approvable SSP, DHS will attempt to work with the facility to bring it into compliance; however, should the facility fail to come into compliance, DHS is authorized to take enforcement action. Please note, that the facility should NOT implement any planned measures until receipt of the Letter of Approval; meaning do not spend the money until DHS approves your plan!
As outlined above, the process appears straight-forward on the surface. During ALL4’s experience on-site at multiple facilities and communication/coordination with DHS, we offer up the following lessons learned in the process.
- Be connected and engaged with your DHS contact. The more connected, the higher degree of probability that you will receive a Letter of Authorization/Letter of Approval on your first time through. DHS is willing to be onsite during the SVA/SSP process and collaborating with DHS will help you understand DHS expectations based on activities and lessons learned at other high-risk facilities.
- Focus on the asset-specific security and control measures. Most facilities have previously considered security at the site level; however, not always at the critical asset level inside the facility boundary or fenceline. The majority of measures that we have identified to be implemented as part of the SVA/SSP process have been asset-specific vs. at the facility level.
- Take advantage of existing controls/processes/measures/systems that support other programs. Those same controls/processes/measures/systems that are employed to help protect employees, the public, and the environment under RMP/PSM/OSHA can be identified as controls/processes/measures/systems to minimize the vulnerability of critical assets in the CFATS program. For example, barricades to protect tanks from routine plant traffic, lock-out/tag-out systems, process control room cameras for operational control also have a role in the CFATS program.
- Recognize the opportunity for an extension. Does your corporation have multiple facilities across multiple states with a short compliance timeline? Has your facility been negatively impacted by the recent hurricanes? Are there other site-specific considerations that may warrant an extension? DHS will review each extension request and all relevant information to make an extension decision via the CSAT system. ALL4 is aware of several extensions that DHS has already granted.
- Utilize external security expertise when and where appropriate. ALL4 is fortunate to have retired federal agents on our team that bring a unique perspective to this process. Their past experience with terrorism and their ability to look at facilities and critical assets through those lenses may not be required for everyone; however, when there is a unique scenario, their security expertise is invaluable.
If you are a high-risk facility required to submit an SVA/SSP and are looking for support or have questions, please reach out to ALL4’s Kristin Gordon (firstname.lastname@example.org, 281.201.1241) or Bill Straub (email@example.com, 610.422.1112).