SourceSecurity.com US Edition
Security camera lens, CCTV Camera, Digital Recorder, Telemetric Transmitter and Controller, Intruder Alarm Control Panel, Access Control Reader, Dome Camera
Home  |  Settings  |  Marketing Options  |  eNewsletters  |  About Us  |  FAQs  |  Contact Us    Site tour of SourceSecurity.com
Unique perspectives

CFATS – latest standard in vogue amongst US chemical facilities

99 facilities have been assorted as Tier 1, or highest risk followed by 502 Tier 2 facilities
As per DHS, Tier 1 facilities will go through a preliminary round of site inspections called pre-authorisation inspections (PAI)

In October 2006, the Department of Homeland Security Appropriations Act of 2007 became law in the US. Section 550 of the Act ordered the Department of Homeland Security (DHS) to “...issue interim final regulations establishing risk-based performance standards for security of chemical facilities and requiring security vulnerability assessments and the development and implementation of site security plans for chemical facilities.” Those regulations became known as the Chemical Facility Anti-Terrorism Standards, or CFATS. In this article, Vice President of G4S Secure Solutions USA, Mr. Carlos Barbosa, gives valuable insights on the various pre and post inspection procedures for CFATS compliance of site security plans, and what the industry needs to learn from it.

As of July 2011, DHS has classified approximately 99 facilities as Tier 1, or highest risk; 502 facilities as final Tier 2; 1,155 facilities as final Tier 3 and 2,195 facilities as final Tier 4 facilities with the lowest risk.

In 2009, all identified facilities were required to file a Site Security Plan (SSP) with DHS via a web-based tool called the Chemical Security Assessment Tool (CSAT). However, it became evident that the CSAT did not mandate a sufficient amount of detailed security information for DHS to fully understand each facility’s security posture.

Inadequate Information in the Site Security Plans

The way the CSAT was designed, the SSP only required facilities to respond yes or no to questions, such as, “Does the facility have an emergency management team available?” and “Does the facility use the CCTV camera feature?”. More detail on the SSP was needed since the credibility and practicality of the regulation depended on how DHS gathered, analysed and evaluated the required information from the industry. At that moment, DHS was at a crossroads and needed to take action. On one hand, the agency could have started from scratch and reconfigured the CSAT completely. However, this would have certainly raised a lot of eye brows.

Procedural security, the availability of records and the intangible qualities of security personnel will play a critical role in the approval (or not) of a facility’s SSP
Inspectors will look for more than the most visible security measures when evaluating facility's SSP



The introduction of Pre-authorisation Inspections

Ultimately, for all Tier 1 facilities, the Department decided to institute a preliminary round of site inspections called pre-authorization inspections (PAI). How this will be addressed with the other tiers in the future is not known at this time. The PAIs were designed to provide the chemical facilities with additional guidance in writing their SSPs not included in the CSAT itself.

The PAI process started in January 2010 with facilities visited by 3 to 7 inspectors over 2 to 4 days. The PAI is not an audit per  se; it is not regulatory in nature and not stipulated in the law, but it gives the industry the chance to get a taste of what the real Authorization Inspection will look like. The inspectors will tour the facilities, will see firsthand the Chemicals Of Interest or COI, will discuss with the facility security officer the applicable risk-based performance standards (RBPS), and will discuss the different security assets and their nature. After that, the CSAT will re-open and the facility will have between 20 and 45 days to re-submit the site security plan with additional and more detailed information, a daunting task.

The Authorization Inspection: Where the Rubber Meets the Road

After the PAI is completed, the revised SSP is submitted and approved by DHS, the real audit will begin. Although at this time only a handful of facilities have actually gone through an Authorization Inspection or (AI), this is a key element of the regulation. A typical AI lasts for about a week and is staffed by six inspectors on average. The aim of DHS is to validate the approved SSP during this inspection. The inspectors will - of course - look at obvious security measures such as the perimeter fence and the video surveillance equipment; but more important, they will evaluate less evident measures such as procedural security, training records, and security personnel screening and selection processes.

Sophisticated security vendors can add substantial value to a facility’s security posture through the use of intelligent technologies and consulting services

Another DHS objective is to make sure that the planned security measures identified in the SSP comply with the definition of “planned security measures” as understood by DHS. A planned security measure as defined by DHS must be realistic, budgeted, under development and with a completion date in the near future. Finally, the DHS inspectors will have conversations with security personnel at the site and will evaluate their responses to questions such as:
  • Explain your visual inspection procedures
  • Explain the suspicious package procedures
  • Explain and demonstrate an undercarriage inspection process, etc.

Control room operators will also be interviewed at all AIs and asked about the emergency notification procedures of the facilities, shutdown procedures and worst case scenario response.

Lessons Learned

Now that several tier 1 PAIs and a handful of AIs have been completed, a few lessons can be shared with the regulated chemical industry at large. First of all, it is important to remember that inspectors will look for more than the most visible security measures when evaluating your SSP.

Procedural security, the availability of records and the intangible qualities of security personnel will play a critical role in the approval (or not) of a facility’s SSP. Therefore, the second lesson is that the security provider at your regulated facility should be a true partner during the entire CFATS process. To involve the security vendor from the beginning guarantees a more cohesive approach to the inspection process. Sophisticated security vendors can add substantial value to a facility’s security posture through the use of intelligent technologies and consulting services.

The final lesson is to make sure that the facility’s security personnel are fully trained, properly screened (in accordance with RBPS 12 Personnel Surety), and bring the right traits for the job.

The inspectors are doing their job. Have you done yours?

Vice President of G4S Secure Solutions USA Carlos Barbosa
Vice President of G4S Secure Solutions USA

Related videos
Bookmark and Share
Latest Technology Report

SourceSecurity.com Technology Report: Managing Business Remotely Using the Cloud

A Technology Report from SourceSecurity.com, produced in collaboration with Oncam Technologies, highlights how a new technology platform that combines cloud-based computing and automated on-site data collection can help businesses with remote monitoring and management.

The white paper outlines how the OnVu360 management platform combines inputs from surveillance systems, access control, intrusion detection systems, and video analytics, among others to improve remote business management and security management across several markets including retail, public security, and home automation.

Download White paper

See privacy and cookie policy
International Edition