According to DHS, the CFATS regulation required almost 36,000 sites which possess listed Chemicals of Interest (COI) at or above a specific Screening Threshold Quantity (STQ) to complete a screening exercise, the Chemical Security Assessment Tool (CSAT) Top-Screen. The information collected through the top-screen allowed DHS to issue a preliminary determination of risk. Facilities identified as “high risk” through the top-screen process were then required to prepare and submit a Security Vulnerability Assessment (SVA), which identifies specific assets of concern to DHS and analyzes security vulnerabilities. It also provides information DHS uses to develop an estimate of offsite human health and safety consequence of an intentional release of a chemical of interest. This data is analyzed by DHS and a resulting tier determination is made based on the facility’s degree of risk in relation to the chemicals of interest for DHS. Facilities are ranked in tiers 1 through 4, with 1 being the highest risk.
Nearly 7,000 sites were preliminarily designated as “high risk” and have submitted the required SVA. The majority of these sites are now awaiting a final tier determination in order to develop and implement a facility-specific SSP. As required by the enabling legislation. CFATS established RBPS for the security of our nation’s chemical facilities, and the SSP developed by each facility must include the level of security tied to these tier-level performance metrics.
Screening and Vulnerability Assessments Steps
The evolution of CFATS and the CSAT that DHS developed to facilitate compliance present challenges to covered facilities due to elements of uncertainty throughout the CFATS process. Many covered facilities are having difficulty planning ahead and developing strategic approaches to compliance, including resource expenditures. This is especially true in a difficult economy.
Uncertainty may arise in both the Top-Screen and SVA data submission steps arises regarding:
How is DHS analyzing the information provided by facilities?
How are tiering decisions being made?
How does the information submitted to DHS relate to the actual security posture or the potential gaps in security at the facility level?
Understandably, some of the analysis and decision-making processes used by DHS are classified to protect national security interests. But, as a result, other than being told the chemicals of interest, security issues, and tier levels, facilities can only make an educated guess to infer which elements of their information made them rank as a “high risk” chemical site. The CSAT SVA, unlike many industry SVA methods, is mostly a data collection step for DHS and does not provide complete feedback on vulnerabilities, consequences, assist in the identification of additional security needs, or provide the asset owner with much useful vulnerability information for planning and executing an overall site security plan with a coherent resource estimate.
Some of this ‘guidance’ comes when DHS issues the final tier determination, but facilities may still find uncertainty regarding the SVA results and how they tie into the SSP. In addition, because the CSAT SVA only considers high-end terrorist attacks with catastrophic consequences, the final SSP developed for CFATS will most likely not consider more common threats posed by disgruntled employees or contractors, labor unrest, criminals,or activists. This broader spectrum of threats should be considered by the facility, of course, in addition to CFATS requirements, for meeting other corporate objectives for security management.
The CSAT SVA requires facility owners to identify assets based on information reported about chemicals of interest to DHS in the top-screen. Like many other regulatory programs, CFATS uses a list of chemicals and thresholds to help define whether a facility needs to provide information and might be covered by the regulation. This step was necessary to define and limit the scope of those affected. Appendix A to the regulation was published in April 2007 and lists 325 chemicals at minimum threshold quantities and minimum concentrations. Each of these chemicals was selected by DHS due to their properties (toxicity, flammability, explosive properties) and by the ease and the likelihood that they could be targeted by terrorists for onsite attack, release, theft, diversion, or sabotage. A particular facility might have chemicals on the DHS list, but it may also have other materials that are not on the list that may be just as hazardous for those who would steal or attempt to buy them for nefarious purposes. These other chemicals or materials are not considered at this point.
This segregation of an owner’s assets into those that are of interest to DHS and those that are not can lead to a less holistic approach to site security and an uneven allocation of security resources at facilities seeking merely to “check the box” of compliance rather than to really improve their security. The CSAT SSP does allow facilities to identify additional chemicals and name assets that were not reported in the SVA, but the benefit of providing this additional level of information to DHS is unclear to some regulated facilities.
Beyond COI, another potential limitation of the CSAT SVA is that DHS only considers the fatality and injury impacts of a chemical release or a theft. This limited focus is necessary for DHS to meet the mandate to regulate facilities which present a “high level of security risk.” While impacts to people from a chemical release are always a great concern at the facility level, there may be processes that have a much greater potential impact due to replacement costs or business interruption if damaged or destroyed. Similar to the full range of threats, if all critical assets are not considered then the final CSAT SSP alone will not meet the overall security needs of a given facility.
As a prudent security manager at a CFATS-covered facility, a more “integrated SVA” approach to assessing the facility’s critical assets and vulnerabilities should be undertaken. By employing a more robust SVA approach (in conjunction with or in addition to the CSAT SVA), facility owners and operators can develop a security management approach that meets both the needs of DHS as well as the needs of the individual facility, identifying gaps in security and developing cost-effective risk reduction countermeasures that address all critical assets and a full range of threats.
For example, a CSAT SVA is required when DHS determines (on a preliminary basis) that there are chemicals of interest at a facility that are at risk of theft or diversion. The SVA requires that theft be considered, but only for the locations and assets identified by DHS. A facility that takes a broader, more comprehensive view of theft would consider all assets -- chemicals, other materials, supplies, equipment, and tools -- as theft targets will likely be able to identify and counteract vulnerabilities that are more realistic for the site.
Countermeasures identified to meet the RBPS to secure chemicals at risk of theft or diversion in the example above may be included in a broader, more complete list of security measures needed to secure valuable assets and materials at the site level. By expanding the analysis to be more comprehensive, the site will meet its compliance requirements while generating a more comprehensive list of security countermeasure recommendations for management consideration. The business case for the security measures needed to comply with CFATS can be helped by showing management how the overall site risk may be reduced and how a comprehensive approach will use limited resources more wisely. Furthermore, a comprehensive approach to security avoids the development of programmatic "silos” that are set up to only address a specific regulatory challenge and may result in higher costs for meeting all of the demands.