CFATS and Comprehensive Chemical Security Management
By Lee Salamone, Brad Fuller, and H.M. Leith
Print Edition Only:
When it comes to the federal government's Chemical Facility Anti-Terrorism Standards, there's compliance and then there's comprehensive chemical security management. Learn how to safeguard against terrorism while covering other more common security issues. (Online Exclusive)
Facilities that manufacture, use, store or process certain chemicals subject to the Department of Homeland Security (DHS) Chemical Facility Anti-Terrorism Standards (CFATS) now need to determine how best to comply with the rule. DHS is sending letters to the regulated sites to set tier levels and deadlines for compliance. Since the compliance requirements for CFATS are specific to anti-terrorism issues regulated by DHS, many security professionals need to select appropriate security upgrades designed for the higher-order threat of terrorism for CFATS compliance while adequately covering other more common security issues.
Significant company resources may be required to comply with CFATS. This is especially true for the compliance step where a Site Security Plan (SSP) is developed based on the Risk-Based Performance Standards (RBPS). CFATS compliance must now be included as a part of an overall security management strategy to develop a comprehensive, integrated, and cost-effective approach to site security that incorporates the risk posed by terrorism but meets overall corporate security management objectives.
According to DHS, the CFATS regulation required almost 36,000 sites which possess listed Chemicals of Interest (COI) at or above a specific Screening Threshold Quantity (STQ) to complete a screening exercise, the Chemical Security Assessment Tool (CSAT) Top-Screen. The information collected through the top-screen allowed DHS to issue a preliminary determination of risk. Facilities identified as “high risk” through the top-screen process were then required to prepare and submit a Security Vulnerability Assessment (SVA), which identifies specific assets of concern to DHS and analyzes security vulnerabilities. It also provides information DHS uses to develop an estimate of offsite human health and safety consequence of an intentional release of a chemical of interest. This data is analyzed by DHS and a resulting tier determination is made based on the facility’s degree of risk in relation to the chemicals of interest for DHS. Facilities are ranked in tiers 1 through 4, with 1 being the highest risk.
Nearly 7,000 sites were preliminarily designated as “high risk” and have submitted the required SVA. The majority of these sites are now awaiting a final tier determination in order to develop and implement a facility-specific SSP. As required by the enabling legislation. CFATS established RBPS for the security of our nation’s chemical facilities, and the SSP developed by each facility must include the level of security tied to these tier-level performance metrics.
Screening and Vulnerability Assessments Steps
The evolution of CFATS and the CSAT that DHS developed to facilitate compliance present challenges to covered facilities due to elements of uncertainty throughout the CFATS process. Many covered facilities are having difficulty planning ahead and developing strategic approaches to compliance, including resource expenditures. This is especially true in a difficult economy.
Uncertainty may arise in both the Top-Screen and SVA data submission steps arises regarding:
How is DHS analyzing the information provided by facilities?
How are tiering decisions being made?
How does the information submitted to DHS relate to the actual security posture or the potential gaps in security at the facility level?
Understandably, some of the analysis and decision-making processes used by DHS are classified to protect national security interests. But, as a result, other than being told the chemicals of interest, security issues, and tier levels, facilities can only make an educated guess to infer which elements of their information made them rank as a “high risk” chemical site. The CSAT SVA, unlike many industry SVA methods, is mostly a data collection step for DHS and does not provide complete feedback on vulnerabilities, consequences, assist in the identification of additional security needs, or provide the asset owner with much useful vulnerability information for planning and executing an overall site security plan with a coherent resource estimate.
Some of this ‘guidance’ comes when DHS issues the final tier determination, but facilities may still find uncertainty regarding the SVA results and how they tie into the SSP. In addition, because the CSAT SVA only considers high-end terrorist attacks with catastrophic consequences, the final SSP developed for CFATS will most likely not consider more common threats posed by disgruntled employees or contractors, labor unrest, criminals,or activists. This broader spectrum of threats should be considered by the facility, of course, in addition to CFATS requirements, for meeting other corporate objectives for security management.
The CSAT SVA requires facility owners to identify assets based on information reported about chemicals of interest to DHS in the top-screen. Like many other regulatory programs, CFATS uses a list of chemicals and thresholds to help define whether a facility needs to provide information and might be covered by the regulation. This step was necessary to define and limit the scope of those affected. Appendix A to the regulation was published in April 2007 and lists 325 chemicals at minimum threshold quantities and minimum concentrations. Each of these chemicals was selected by DHS due to their properties (toxicity, flammability, explosive properties) and by the ease and the likelihood that they could be targeted by terrorists for onsite attack, release, theft, diversion, or sabotage. A particular facility might have chemicals on the DHS list, but it may also have other materials that are not on the list that may be just as hazardous for those who would steal or attempt to buy them for nefarious purposes. These other chemicals or materials are not considered at this point.
This segregation of an owner’s assets into those that are of interest to DHS and those that are not can lead to a less holistic approach to site security and an uneven allocation of security resources at facilities seeking merely to “check the box” of compliance rather than to really improve their security. The CSAT SSP does allow facilities to identify additional chemicals and name assets that were not reported in the SVA, but the benefit of providing this additional level of information to DHS is unclear to some regulated facilities.
Beyond COI, another potential limitation of the CSAT SVA is that DHS only considers the fatality and injury impacts of a chemical release or a theft. This limited focus is necessary for DHS to meet the mandate to regulate facilities which present a “high level of security risk.” While impacts to people from a chemical release are always a great concern at the facility level, there may be processes that have a much greater potential impact due to replacement costs or business interruption if damaged or destroyed. Similar to the full range of threats, if all critical assets are not considered then the final CSAT SSP alone will not meet the overall security needs of a given facility.
As a prudent security manager at a CFATS-covered facility, a more “integrated SVA” approach to assessing the facility’s critical assets and vulnerabilities should be undertaken. By employing a more robust SVA approach (in conjunction with or in addition to the CSAT SVA), facility owners and operators can develop a security management approach that meets both the needs of DHS as well as the needs of the individual facility, identifying gaps in security and developing cost-effective risk reduction countermeasures that address all critical assets and a full range of threats.
For example, a CSAT SVA is required when DHS determines (on a preliminary basis) that there are chemicals of interest at a facility that are at risk of theft or diversion. The SVA requires that theft be considered, but only for the locations and assets identified by DHS. A facility that takes a broader, more comprehensive view of theft would consider all assets -- chemicals, other materials, supplies, equipment, and tools -- as theft targets will likely be able to identify and counteract vulnerabilities that are more realistic for the site.
Countermeasures identified to meet the RBPS to secure chemicals at risk of theft or diversion in the example above may be included in a broader, more complete list of security measures needed to secure valuable assets and materials at the site level. By expanding the analysis to be more comprehensive, the site will meet its compliance requirements while generating a more comprehensive list of security countermeasure recommendations for management consideration. The business case for the security measures needed to comply with CFATS can be helped by showing management how the overall site risk may be reduced and how a comprehensive approach will use limited resources more wisely. Furthermore, a comprehensive approach to security avoids the development of programmatic "silos” that are set up to only address a specific regulatory challenge and may result in higher costs for meeting all of the demands.
The CSAT Site Security Plan to Implement the RBPS
The final RBPS guidance has been published by DHS, but while it provides some security metrics and guidance, it does not provide a complete roadmap for which upgrades may be needed at each tier level. These will, in fact, not be prescribed by DHS as Congress prohibited the requirement of any specific security measures. The performance basis of the rule and the general guidance will challenge the facility to determine their own site-specific security posture that will both satisfy DHS and achieve the overall security objectives of the facility in a cost-effective way. Each SSP is essentially a site-by-site negotiation with DHS given the specific risk issues and security measures proposed for compliance.
All covered facilities under CFATS will be required to fill out and submit a CSAT SSP documenting how the facility will meet the applicable RBPS appropriate at its designated tier level. The SSP submission is a key to site compliance under CFATS. DHS inspectors will use it to verify that a facility does indeed have in place the equipment, procedures, and measures documented in the DHS-approved SSP.
The CSAT SSP tool is primarily a checklist-based, menu-driven on-line tool. Similar to the CSAT Top-Screen and SVA, the SSP is a DHS data collection process to capture specific security systems and equipment at the facility as they pertain to the listed COI and assets of interest in the final tier determination specified by DHS. The result will be related to anti-terrorism issues that may not effectively address the other pertinent security issues at the facility.
Since many facilities will require security upgrades to meet the RBPS, it is crucial that the investment in security systems, equipment, and layers of protection meet the needs of DHS as well as the full range of critical assets, threats, and vulnerabilities that a security manager needs to understand and address. For CFATS compliance and general chemical facility security, a detailed review of critical assets, vulnerabilities, and existing security countermeasures (which will also be needed for comparison to the RBPS) is needed. A thorough gap analysis should identify:
Differences in CFATS assets identified in the CSAT SVA as compared to all processes and chemical storage areas or shipping areas that may be critical due to safety, replacement cost, or business impact.
Specific vulnerabilities as compared to the RBPS.
Categories of security upgrades that will be required for CFATS compliance (e.g., restrict area perimeter, secure site assets, etc.).
CFATS security upgrades that address the full range of critical assets, threats, and vulnerabilities not explicitly considered under CFATS.
Additional security investments that are needed to meet the desired overall security posture of the facility.
Optimization of the suite of security upgrades to meet both DHS and other facility security goals.
It is important to note that the RBPS guidance document is only guidance and will not require the purchase or deployment of any specific technology, device, or procedure. This performance-based approach was mandated by Congress and had the support of the chemical industrywhich was seeking flexibility. While this appears to provide wide latitude for response by industry, it also may provide wide latitude to DHS in its interpretation of what may or may not meet the performance-based metrics. A thoughtful gap analysis and justification of each security upgrade will be needed, and the basis for the data submitted in the SSP should be documented
Once a broad gap analysis is conducted and additional security upgrades are identified, it would be prudent to answer the following questions:
Will the specific security countermeasure or layers of security address an existing vulnerability of another critical asset at the site not identified previously under CFATS?
If the company has multiple facilities, will the countermeasure be applicable to more than one facility location? If so, can it be applied consistently across the company’s different locations?
If the company has multiple facilities, will the countermeasure be equally effective at all locations?
If the company has multiple facilities at different tiers, can the countermeasure be effectively scaled to address the graded security of the RBPS performance metrics?
Can applicable countermeasures and policies be “scaled up” in accordance with the requirement that the facility be able to respond to elevated threat levels (RBPS #13) ?
While we have just advocated that covered facilities do their utmost to take a broad, comprehensive, and integrated approach to understanding their CFATS requirements and use their compliance opportunity to integrate their security measures for improved overall security in a resource-conscious way, it is important to note that it may be prudent to keep the SSP documentation for CFATS compliance separated from the overall security plan that is implemented at the facility. This avoids potential “cross contamination” of information that doesn’t pertain to CFATS and makes internal auditing and DHS inspection easier.
DHS expects each facility required to submit a SSP to do so electronically using the CSAT SSP tool, unless they choose to apply for permission to submit an Alternative Security Plan. Perhaps surprisingly, then, the compliance plan required for CFATS is more a data submittal than it is a working operational plan. This begs the question as to how to document this information at the facility.
A recommended approach is to have an extractable CFATS chapter in your overall facility security plan, but possibly the cleanest way to create an SSP for CFATS compliance may be to develop a stand-alone plan that addresses the CFATS requirements directly and is supported by its own specific procedures and supporting documentation. This could be as simple as a copy of the submittal, but we recommend developing a series of policies, procedures, and other information as required to institutionalize and to make operational the CFATS requirements. In addition, all supporting information useful to prove compliance when required should be retained and nicely organized for inspection. All information developed and submitted to DHS must be protected as required by CFATS as well.
The Benefits of a Value-Added Approach
A facility that uses an integrated approach will improve their security posture in a more comprehensive way by identifying a broader range of risks tailored to the facility, thereby identifying measures and policies that will secure the facility against the theoretical risks that drive CFATS, but also include the very real safety, security, and business risks that facilities face every day. The current CFATS regulation may change and evolve with further congressional action expected when the enabling legislation expires in 2009. Sometime in the future, this might include re-evaluation and a potential change to the list of COI, identification of different threats, more comprehensive screening and vulnerability assessment steps, and more detailed security plans. Professional facility security managers who take the broader view now will be prepared to meet the challenges of the future and their facilities will be better positioned with long-term security investments that will be applicable to changes in future chemical security regulation.
Authors Lee Salamone, Senior Consultant; Brad Fuller, Principal Engineer; and H.M. Leith, Senior Principal Consultant, all work for AcuTech Consulting Group, which provides process safety, risk management and security services to industries handling hazardous materials.
Lee Salamone, Brad Fuller, and H.M. Leith
Security Management is the award-winning publication of ASIS International, the preeminent international
organization for security professionals, with more than 38,000 members worldwide.
ASIS International, Inc. Worldwide Headquarters, 1625 Prince Street, Alexandria, Virginia 22314-2818 U.S.A.
703.519.6200 | fax 703.519.6299 | www.asisonline.org