Mapping Alternative Routes to CFATS Compliance
Chemical companies seeking to comply with federal Chemical Facility Anti-Terrorism Standards (CFATS) regulations have focused almost entirely on using the Department of Homeland Security's Web-based Chemical Security Assessment Tool (CSAT) to create and submit a Site Security Plan.
The American Chemistry Council (ACC) is now reviving interest in an alternative. The chemical association is working with the Department of Homeland Security to revamp the Alternative Security Program (ASP) to make it a useful tool for CFATS compliance. A new ASP Guidance Document will complement the current Site Security Plan (SSP) process and help to accelerate plan approvals by clarifying aspects of the process that remain undefined, such as what level of detail to include in the SSP. The new alternative approach will enhance the information provided to better guide security enhancements for a faster and more efficient route to CFATS compliance.
Although the Alternative Security Program (ASP) route has been part of the CFATS regulation from the beginning, it has previously been rarely used, and the industry – with the full encouragement of the DHS – has instead focused mostly on using the CSAT. However, SSPs do have certain deficiencies, and the ASP option allowed by CFATS regulations is being revisited as a route to compliance. DHS defines an ASP as a security initiative that a “third party” has developed and that the Assistant Secretary of DHS has determined meets the requirements of the CFATS Site Security Plan process.
Many chemical security professionals have witnessed firsthand the limitations of the online DSAT and the resulting SSPs. For example, the Web-based DSAT asks hundreds of “yes” or “no” questions about the generic elements of a facility's security posture, such as “Does the facility have a CCTV system?” One-word answers to such questions may provide inadequate information to enable the DHS to assess a facility's real security posture.
In fact, a survey of 1,000 high-risk chemical facilities by the American Chemistry Council in 2011 agreed that the SSP process is unwieldy and provides limited value to a facility or DHS inspectors.
To enhance the security assessment process, the American Chemistry Council's proposed Alternative Security Program includes examples of security measures deployed at various facilities to make aspects of the assessment process as clear as possible.
The proposed ASP Guidance Document will also include:
- A general overview of the ASP process;
- An actual ASP template that security directors may be able to use to gather and present relevant information;
- Specific guidance on the “level of detail” required;
- Checklists on the required security measures to be documented and associated with the corresponding Risk-Based Performance Standards (RBPS), which cover requirements such as securing site assets, screening and controlling access, sabotage and dealing with specific threats, vulnerabilities or risks;
- Examples of potential security measures; and
- A “cross-walk” between CFATS and ACC's Responsible Care Security Code.
ACC has actively promoted chemical facility security since it created the stringent Responsible Care Security Code within months of the terrorist attacks of 9/11. ACC says its member companies have invested more than $11.2 billion to further enhance site, transportation and cyber security at their facilities under the Security Code, which has become a gold standard for the industry and served as a model for regulatory programs. Clarifying and facilitating continuing compliance with CFATS is a logical extension of that effort.
ACC and DHS plan to start a pilot ASP program this summer, and the progress of the pilot is being shared during the DHS Chemical Security Summit this summer in Baltimore.
CFATS also includes provisions addressing inspections and audits, record keeping and the protection of chemical vulnerability information. The DHS has staffed up with additional manpower to aggressively enforce compliance with CFATS regulations. Non-compliance can result in fines of $25,000 per day and closure of a facility, so clearly there is a lot at stake. Any initiative that can provide additional clarity to the current SSP process is a good idea and may be the solution to CFATS' greatest challenge: clear, concise and unambiguous guidance on what to do and what not to do in connection with security measures.