Securing the Chemical Sector: An Overview of the Chemical Facility Anti-Terrorism Standards August...
-
Upload
herbert-gibson -
Category
Documents
-
view
218 -
download
1
Transcript of Securing the Chemical Sector: An Overview of the Chemical Facility Anti-Terrorism Standards August...
Securing the Chemical Sector:An Overview of the Chemical Facility Anti-Terrorism Standards
August 29, 2007
Ronald E. Miller
Inspector
2
CFATS – Regulation Overview
DHS’s chemical facility security regulatory regime—the Chemical Facility Anti-Terrorism Standards (CFATS)—was published on April 9, 2007 In developing the final regulations, DHS reviewed over 1300 pages of comments on the
ANRM submitted from over 110 commenters The CFATS, which will go into effect after a 60-day Congressional review period, also
includes a list of Chemicals of Interest open for public comment and review
DHS has created the Office of Infrastructure Protection’s Chemical Security Compliance Division (CSCD) to oversee the regulatory program
Depending on degree of risk posed, covered chemical facilities will be placed in one of four tiers Regulation will use risk-based performance standards, allowing facilities to select the most
cost-effective combination of measures to achieve an appropriate level of security
CSCD will roll out regulatory oversight in a phased approach During 2007, DHS will focus its resources on approximately 50 of the highest risk facilities However, during 2007, all chemical facilities will be required to complete an initial
consequence screen to identify which facilities are high risk
Security measures at chemical facilities will never compromise safety measures
Chemical facility security risks will not be transferred to surrounding communities
3
CFATS – Regulation Overview (cont.)
The CFATS uses a multi-step process to: Identify high-risk chemical facilities
Assign high-risk chemical facilities to risk tiers
Identify vulnerabilities at high-risk chemical facilities
Develop and implement Site Security Plans
Inspect and audit facilities to ensure vulnerabilities are adequately addressed and risk-based performance standards are met
Other important CFATS components include: Alternate Security Programs
Adjudications Process
CVI
Step 1: Trigger Top Screen (STQ)
Step 2: Perform Top Screen
Step 4:Perform SVA
Step 5: Develop Site Security Plan
Step 3:Receive Preliminary Tiering
Step 7:Inspections/Audits
Step 8:
Step 6:DHS Review of Site Security Plan
Implement Site Security Plan
5
CSAT – Top Screen
Top Screen To identify which chemical facilities are high risk, and to gather information for DHS to
make initial risk-based tiering decisions, facilities must complete a “Top Screen” Top Screen information will be submitted to DHS via the secure DHS CSAT website A facility must complete and submit a Top Screen if it possesses any of the chemicals listed
in Appendix A at the corresponding Screening Threshold Quantity (STQ)
Designated Submitter Each facility must designate a submitter who is responsible for submitting the Top Screen
information to DHS The submitter must be designated by an officer of the corporation and domiciled in the U.S.
Preliminary Determination Based on the information provided through the Top Screen process, DHS will determine
whether or not a facility “presents a high level of security risk” and thus is a covered facility under the regulations
• A facility’s risk primarily depends on whether or not a terrorist attack could result in significant adverse consequences for human life or health, national security or critical economic assets
Facilities will be notified in writing by DHS upon such a determination
Submission Schedule The Top Screen must be completed and submitted within 60 days of the effective date of
Appendix A or within 60 calendar days for facilities that subsequently come into possession of any of the chemicals listed in Appendix A at the corresponding STQs
If a covered facility makes material modifications to its operation or site, the covered facility must submit a revised Top Screen within 60 days of material modification
6
CSAT – Security Vulnerability Assessment
What is the SVA? To better define their security posture and identify their vulnerabilities, all covered facilities
must complete a Security Vulnerability Assessment (SVA)
Facilities in Tiers 1-3 must use the CSAT SVA tool developed by DHS• Tier 4 facilities may use the CSAT SVA tool or submit an approved alternate SVA under the Alternate
Security Program portion of the regulations
SVA Makeup An SVA will include an asset characterization, threat assessment, security vulnerability
analysis, risk assessment, and countermeasure analysis
Submission Schedule
Covered facilities must complete and submit SVAs within 90 calendar days of written notification from the Department or within the time frame specified in any subsequent Federal Register notice
Review and Approval DHS will review and approve in writing all SVAs that satisfy the requirements of § 27.215,
including Alternative Security programs submitted pursuant to § 27.235
If an SVA does not satisfy the requirements of § 27.215, DHS will provide the facility with a written notification that includes a clear explanation of deficiencies in the SVA
• DHS will offer assistance to facilities that submit deficient SVAs
7
Registration for CSAT
Registration In order to access the CSAT secure on-line tool, users must register with DHS
by submitting a user access form
Process After completion and submittal of the user access request form, DHS will issue
unique usernames and passwords for access to the CSAT data collection tool to protect your company’s sensitive data
Facilities must designate:• A Preparer – authorized to enter the required data into CSAT,• A Submitter – certified by the company or corporation to formally submit the regulatory
required data to the Department. The Submitter must be authorized and domiciled in the U.S, and
• An Authorizer – empowered by the facility parent company to provide assurance that the user account request for the Preparer and Submitter is valid
After Registration Upon receipt of username and password via email, and following the June 8,
2007 activation date, users may access the Top Screen CSAT collection tool (found on-line at www.dhs.gov/chemicalsecurity)
8
Tiering of Covered Facilities
Preliminary Tiering
All covered facilities shall be placed within one of four risk-based tiers, ranging from the highest risk facilities in Tier 1 to lowest risk facilities in Tier 4
• Facilities not covered by the regulation will not be tiered
Initial tiering decisions will be based on information about the facility received from the Top Screen or other means
The Department will notify a a facility of its initial risk based tier in writing
Final Tiering
After receiving the SVA, DHS will review the SVA and either confirm or adjust the risk-based tier assigned to the facility
If, after receiving its final tiering, a facility makes material modifications to their operations, materials on site, etc., they must submit a revised Top Screen (and possibly SVA & SSP), and their tiering may be adjusted accordingly
9
Site Security Plans
SSP: Each covered facility must prepare and implement a Site Security Plan that: Addresses each vulnerability identified in the SVA and describes the security measures to
address each such vulnerability Identifies and describes how security measures selected by the facility meet or exceed
each applicable performance standard for the facility’s risk-based tier
CSAT SSP DHS has prepared a template for a model SSP, which is available through the CSAT tool Facilities must use either the CSAT model SSP or an alternate SSP format approved by
DHS under the Alternate Security Program
Submission of SSP SSPs must be submitted within 120 calendar days of written notification from DHS or within
the time frame specified in any subsequent Federal Register notice When a covered facility updates, revises or otherwise alters its SVA, the covered facility
must make corresponding changes to its SSP
Review and Approval DHS will review and approve or disapprove all SSPs using a two-step process:
• First, DHS will make an initial determination based solely on the SSP and, if it is acceptable, issue a Letter of Authorization
• Once SSP is authorized, DHS will inspect a facility for determination of compliance with the rule; if in compliance, facility will receive a Letter of Approval
If DHS disapproves a SSP, the facility will be notified in writing. • Note that DHS will not disapprove a SSP based on the presence or absence of a particular security
measure
10
Risk-Based Performance Standards
Performance Standards
Covered facilities must satisfy the Risk-Based Performance Standards (RBPSs) identified in Section 27.230 of the regulations
There are 19 RBPSs in the rule, addressing the following areas:
Guidance for Covered Facilities
DHS will issue guidance on the application of these standards to risk-based tiers of covered facilities, and the acceptable layering of measures used to meet these standards will vary by risk based tier. 6 CFR 27.230(a)
1. Restricted Area Perimeter2. Securing Site Assets3. Screening and Access Controls4. Deter, Detect, and Delay5. Shipping, Receipt, and Storage6. Theft and Diversion7. Sabotage8. Cyber9. Response10. Monitoring11. Training
12. Personnel Surety13. Elevated Threats14. Specific Threats, Vulnerabilities,
or Risks15. Reporting of Significant Security
Incidents16. Significant Security Incidents and
Suspicious Activities17. Officials and Organizations18. Records19. Others as determined by DHS
11
Inspections and Audits
Inspections Generally In order to asses compliance with the requirements of the regulations, DHS may enter,
inspect, and audit covered facilities
Inspections will follow preliminary approval of SSPs
Timing of Inspections
DHS will provide 24-hour advance notice of inspections, except:• If DHS determines that an inspection without such notice is warranted by exigent circumstances
• If any delay in conducting an inspection might be seriously detrimental to security, and the director of CSCD determines that an inspection without notice is warranted
DHS may conduct spot inspections, if deemed necessary
Inspectors Inspections and audits initially will be conducted by a team of specially trained Federal
Protective Service inspectors detailed to CSCD
Confidentiality of Information In addition to the protections afforded by CVI, information received in an audit or inspection
shall remain confidential under the investigatory file exception, or other appropriate exception to the public disclosure requirements of 5 U.S.C. 552.
12
Alternative Security Plans
Definition
A third-party or industry organization program that DHS has determined meets the requirements of 6 CFR 27 and provides for an equivalent level of security to that established by the regulation
Applicability
Tier 4 facilities may submit an ASP in lieu of an SVA or SSP
Tier 1, 2, & 3 facilities may submit an ASP in lieu of a SSP, though they may not submit an ASP in lieu of an SVA, i.e., Tier 1, 2, & 3 facilities must submit a CSAT SVA
Notification
DHS will inform a covered facility of the approval or disapproval of an ASP in a fashion similar to notifications provided for following approval or disapproval of an SVA or SSP
13
Orders & Adjudications
Orders When DHS determines that a facility is in violation of any of the regulatory requirements,
DHS may take appropriate action including the issuance of an appropriate Order Types of orders include Orders Assessing Civil Penalty and Orders to Cease Operations
• Civil penalties not to exceed $25,000 per day per violation Orders will include a description of the noncompliance, how to address the noncompliance,
and the date by which the facility must comply with terms of the order
Adjudication Any facility who has received a finding is entitled to an adjudication of any issue of material
fact relevant to any administrative action which deprives that person of a cognizable interest in liberty or property
Adjudications will be heard by a neutral adjudications officer Findings eligible for adjudication include potential security threat designations, SSP
disapproval, and issuance of Orders To challenge a DHS determination, applicants must file Notice of Application for Review
within seven calendar days of receipt of notification to the affected party of DHS’ Finding, Determination, or Order
“Orders typically are stayed from the time of the filing of a Notice of Application for Review until the Presiding Office issues an Initial Decision”
Appeals If an affected party disagrees with the Initial Decision received in the adjudication process, it
has the right to appeal that decision to the Under Secretary
14
Chemical-terrorism Vulnerability Information
Chemical-terrorism Vulnerability Information (CVI) CVI is an information handling regime established for the maintenance, safeguarding, and
disclosure of the certain information and records related to the CFATS regulatory regime, including:
• Security Vulnerability Assessments
• Site Security Plans
• Documents related to the review and approval of SVAs and SSPs
• Alternate Security Plans
• Documents related to inspections or audits, etc.
• Other similar documents
All CVI materials must be appropriately marked, handled, and stored
Eligible Persons to use CVI The following classes of people may use CVI if they have a need to know:
• Facility employees
• Federal employees, contractors, and grantees
• State/local government employees
CVI access will include training and certification
Violation of CVI Violation of CVI is grounds for a civil penalty and other enforcement or corrective action by
DHS and appropriate personnel actions for Federal employees
15
Review and Preemption of State Laws and Regulations
Preemption
No law, regulation, or administrative action of a State or political subdivision thereof shall have any effect if such conflicts with, hinders, poses an obstacle to, or frustrates the purposes of this regulation or of any approval, disapproval, or order issued thereunder
Review of State Laws
DHS may review State laws, administrative actions, or opinions or orders of a court under State law and regulations submitted under this section, and may offer an opinion whether the application or enforcement of the State law or regulation would conflict with, hinder, pose and obstacle to or frustrate the purposes of this Part
DHS may issue an opinion on any question regarding preemptions
DHS will always seek the views of the State or local jurisdiction whose laws may be affected by the review