While we have just advocated that covered facilities do their utmost to take a broad, comprehensive, and integrated approach to understanding their CFATS requirements and use their compliance opportunity to integrate their security measures for improved overall security in a resource-conscious way, it is important to note that it may be prudent to keep the SSP documentation for CFATS compliance separated from the overall security plan that is implemented at the facility. This avoids potential “cross contamination” of information that doesn’t pertain to CFATS and makes internal auditing and DHS inspection easier.
DHS expects each facility required to submit a SSP to do so electronically using the CSAT SSP tool, unless they choose to apply for permission to submit an Alternative Security Plan. Perhaps surprisingly, then, the compliance plan required for CFATS is more a data submittal than it is a working operational plan. This begs the question as to how to document this information at the facility.
A recommended approach is to have an extractable CFATS chapter in your overall facility security plan, but possibly the cleanest way to create an SSP for CFATS compliance may be to develop a stand-alone plan that addresses the CFATS requirements directly and is supported by its own specific procedures and supporting documentation. This could be as simple as a copy of the submittal, but we recommend developing a series of policies, procedures, and other information as required to institutionalize and to make operational the CFATS requirements. In addition, all supporting information useful to prove compliance when required should be retained and nicely organized for inspection. All information developed and submitted to DHS must be protected as required by CFATS as well.
The Benefits of a Value-Added Approach
A facility that uses an integrated approach will improve their security posture in a more comprehensive way by identifying a broader range of risks tailored to the facility, thereby identifying measures and policies that will secure the facility against the theoretical risks that drive CFATS, but also include the very real safety, security, and business risks that facilities face every day. The current CFATS regulation may change and evolve with further congressional action expected when the enabling legislation expires in 2009. Sometime in the future, this might include re-evaluation and a potential change to the list of COI, identification of different threats, more comprehensive screening and vulnerability assessment steps, and more detailed security plans. Professional facility security managers who take the broader view now will be prepared to meet the challenges of the future and their facilities will be better positioned with long-term security investments that will be applicable to changes in future chemical security regulation.
Authors Lee Salamone, Senior Consultant; Brad Fuller, Principal Engineer; and H.M. Leith, Senior Principal Consultant, all work for AcuTech Consulting Group, which provides process safety, risk management and security services to industries handling hazardous materials.