CFATS and Comprehensive Chemical Security Management

By Lee Salamone, Brad Fuller, and H.M. Leith

The CSAT Site Security Plan to Implement the RBPS

The final RBPS guidance has been published by DHS, but while it provides some security metrics and guidance, it does not provide a complete roadmap for which upgrades may be needed at each tier level. These will, in fact, not be prescribed by DHS as Congress prohibited the requirement of any specific security measures. The performance basis of the rule and the general guidance will challenge the facility to determine their own site-specific security posture that will both satisfy DHS and achieve the overall security objectives of the facility in a cost-effective way. Each SSP is essentially a site-by-site negotiation with DHS given the specific risk issues and security measures proposed for compliance.

All covered facilities under CFATS will be required to fill out and submit a CSAT SSP documenting how the facility will meet the applicable RBPS appropriate at its designated tier level. The SSP submission is a key to site compliance under CFATS. DHS inspectors will use it to verify that a facility does indeed have in place the equipment, procedures, and measures documented in the DHS-approved SSP.

The CSAT SSP tool is primarily a checklist-based, menu-driven on-line tool. Similar to the CSAT Top-Screen and SVA, the SSP is a DHS data collection process to capture specific security systems and equipment at the facility as they pertain to the listed COI and assets of interest in the final tier determination specified by DHS. The result will be related to anti-terrorism issues that may not effectively address the other pertinent security issues at the facility.

Since many facilities will require security upgrades to meet the RBPS, it is crucial that the investment in security systems, equipment, and layers of protection meet the needs of DHS as well as the full range of critical assets, threats, and vulnerabilities that a security manager needs to understand and address. For CFATS compliance and general chemical facility security, a detailed review of critical assets, vulnerabilities, and existing security countermeasures (which will also be needed for comparison to the RBPS) is needed. A thorough gap analysis should identify:

  • Differences in CFATS  assets identified in the CSAT SVA as compared to all processes and chemical storage areas or shipping areas that may be critical due to safety, replacement cost, or business impact.

  • Specific vulnerabilities as compared to the RBPS.

  • Categories of security upgrades that will be required for CFATS compliance (e.g., restrict area perimeter, secure site assets, etc.).

  • CFATS security upgrades that address the full range of critical assets, threats, and vulnerabilities not explicitly considered under CFATS.

  • Additional security investments that are needed to meet the desired overall security posture of the facility.

  • Optimization of the suite of security upgrades to meet both DHS and other facility security goals.

It is important to note that the RBPS guidance document is only guidance and will not require the purchase or deployment of any specific technology, device, or procedure. This performance-based approach was mandated by Congress and had the support of the chemical industrywhich was seeking flexibility. While this appears to provide wide latitude for response by industry, it also may provide wide latitude to DHS in its interpretation of what may or may not meet the performance-based metrics. A thoughtful gap analysis and justification of each security upgrade will be needed, and the basis for the data submitted in the SSP should be documented

Once a broad gap analysis is conducted and additional security upgrades are identified, it would be prudent to answer the following questions:

  • Will the specific security countermeasure or layers of security address an existing vulnerability of another critical asset at the site not identified previously under CFATS?
  • If the company has multiple facilities, will the countermeasure be applicable to more than one facility location? If so, can it be applied consistently across the company’s different locations?
  • If the company has multiple facilities, will the countermeasure be equally effective at all locations?
  • If the company has multiple facilities at different tiers, can the countermeasure be effectively scaled to address the graded security of the RBPS performance metrics?
  • Can applicable countermeasures and policies be “scaled up” in accordance with the requirement that the facility be able to respond to elevated threat levels (RBPS #13) ?




The Magazine — Past Issues


Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.