May 10, 2017

DHS Provides Answers to Industry Questions on Chemical Security Assessment Tool

(PAINT.ORG) In September, the Department of Homeland Security (DHS) launched "CSAT 2.0," which is a revised CSAT (Chemical Security Assessment Tool) Top-Screen, along with a revised Security Vulnerability Assessment (SVA) application, and a revised Site Security Plan (SSP) application. The agency believes these changes to its Chemical Facility Anti-Terrorism Standards (CFATS) program could result in companies spending 90 percent less time using DHS' Security Vulnerability Assessment (SVA) and 70 percent less time operating the Site Security Plan (SSP) application.

DHS subsequently began issuing facility-tiering notifications based on the CFATS enhanced risk-tiering methodology in April of this year.

The Chemical Sector Coordinating Committee (in which ACA is a member) recently questioned DHS about this new SVA/SSP format — specifically inquiring about 5 questions that the process asks regulated facilities to answer — and requested that DHS' Infrastructure Security Compliance Division (ISCD) clarify its expectations for how regulated facilities should respond.  The five questions related to the following:

  • Q 2.50.010 Detection Measures and Identified Vulnerabilities
  • Q 2.50.020 Delay Measures and Identified Vulnerabilities
  • Q 2.50.030 Response Measures and Identified Vulnerabilities
  • Q 2.50.040 Cyber Security Measures and Identified Vulnerabilities
  • Q 2.50.050 Policies, Procedures, and Resources and Identified Vulnerabilities

According to DHS's Office of Infrastructure Protection (part of the Infrastructure Security Compliance Division, or ISCD), "the SVA — specifically including these questions —  is designed to help facility personnel understand their current security posture and identify gaps in current security. For each of the five questions, facilities should describe the security posture and potential vulnerabilities related to the measure (detection, delay, response, cyber, or policies, procedures, and resources). For example, for detection measures, the facility should provide high-level descriptions of the protective measures that are in place to monitor the perimeter and/or critical asset(s) and to detect attacks at early stages. These measures may include some combination of personnel or protective force monitoring through stationed positions or roving patrols, intrusion detection systems (IDS), lighting, and/or closed circuit television systems (CCTV)."

The direction from ISCD went on to say that after describing the current detection security posture, "a facility should use this information to identify any gaps or vulnerabilities in its posture. For example, potential vulnerabilities may include access points to the perimeter and/or critical asset(s) not currently covered by a method of detection."

ISCD noted that the best source of additional information on what should be included for the five questions at issue begins on page 7 (Adobe page 21) of the Chemical Security Assessment Tool (CSAT) 2.0 Security Vulnerability Assessment/Site Security Plan Instructions issued on March 29, 2017, and which may be found here.

Under the 2006 law establishing the CFATS program, chemical facilities possessing more than a threshold amount of specific explosive, toxic, or other "chemicals of interest" have been required to complete a "top-screen," notifying DHS that they possess such chemicals on site. Once a facility submits its top-screen, DHS can direct the facility to submit an SVA, and based on that document, then assign the facility to one of four tiers based on the potential security threat on site, an action that triggers a requirement to submit an SSP (or an Alternative Security Plan, or ASP) to DHS for authorization and approval.

Per DHS, approximately 9,000 updated Top-Screens have been received from the 27,000 facilities that have reported holdings of chemicals of interest (COI) at the screening threshold quantity. ACA's members own and operate paint, coatings, resin, and chemical manufacturing facilities that are potentially subject to the CFATS provisions, and many ACA members have previously submitted Top-Screens identifying COI and have been assigned preliminary or final tiers by the department. As a result, a number of ACA member companies have become subject to the CFATS Risk-Based Performance Standards.