The Cybersecurity and Infrastructure Security Agency (CISA) has reviewed thousands of Site Security Plans (SSPs) and Alternative Security Programs (ASPs) submitted by high-risk chemical facilities under the Chemical Facility Anti-Terrorism Standards (CFATS) regulation. Based on these reviews, CISA has identified helpful hints to assist with completing your SSP as part of the authorization and approval process.
Consider What Security Measures to Address
Take a holistic approach. Think about the type of security measures your facility requires for its particular security concerns and tier. Generally, your facility’s security measures, which address the CFATS Risk-Based Performance Standard (RBPS), will fall within one of the below overarching security objectives:
- Detection. This may include considering measures such as the level of monitoring needed for the facility’s tier and security concern; taking into account the chemicals of interest (COI) state, packaging type, mitigation measures in place; and considering whether this includes personnel, closed-circuit television systems or intrusion detection systems (CCTV/IDS), or a combination of both.
- Delay. When implementing delay security measures, a facility may consider whether a single layer or multiple layers of barriers are appropriate, if the facility ships or sells COI and what protections are in place for these processes, how the facility maintains access control measures, and the standoff distance for release chemicals.
- Response. This includes maintaining a Crisis Management Plan, or similar document, that includes security response, elevated and imminent threat plans, as well as conducting outreach with local law enforcement and efforts such as participating in a Local Emergency Planning Committee to increase a facility’s preparedness and ensure appropriate response capabilities.
- Cyber. In addition to physical security measures, identifying and ensuring appropriate cyber security measures are critical to a holistic approach, especially if COIs are integrated with any cyber control, physical (CCTV/IDS), or business systems (inventory management).
- Security Management. Implementing measures to support security management includes maintaining a Security Awareness Training Program, inspection and maintenance programs, recordkeeping, establishing a security organization, incident reporting and investigations, inventory procedures, and vetting facility personnel and unescorted visitors with access to restricted areas and critical assets.
Detail Current Security Measures
Be as detailed as possible. The text boxes in the Chemical Security Assessment Tool (CSAT) SSP application have been included so that facilities can more fully describe current security measures, including how the measures address the relevant RBPS. The better CISA can conceptualize and understand your approach to security measures, the better it can evaluate whether they meet the applicable RBPSs.
Don’t overlook safety and environmental measures already in place that contribute to security. You’ve invested in them. They may reduce the likelihood of a release or theft of COI, so you should consider including them in your SSP. For example:
- Emergency response plans, training drills, and exercises that are applicable regardless of whether a release is accidental or intentional
- Product stewardship, “know-your-customer”, and other programs you have for making sure the right materials get to the right customer may also help you identify attempted product diversions
- Process safety layers of protection that not only prevent accidents, but may also create barriers to prevent a terrorist from accessing a COI
- Gas detection systems that would trigger an alarm in response to any release – accidental or intentional
Describe Planned Security Measures
Describe planned measures the facility has committed to implement. A planned measure section in your security plan can be used to describe security measures that your facility will be implementing but has not implemented at the time the SSP is submitted.
- CISA will consider planned measures when evaluating the SSP. During the authorization inspection, the facility should be prepared to provide documentation describing the timetable for implementing planned measures.
- Documentation could include evidence that the planned measure is in the process of being installed or implemented, such as detailed designs accompanied by an approved or documented capital budget or preparation for/completed bid process for installation.
Specify Facility-wide or Asset-Specific Measures
Make clear whether a security measure is applied facility-wide or just to a specific asset. CFATS requires that the COI are protected for the security issue and at the appropriate tier as identified in your tiering notification letter from CISA.
As an example, see the figure below that shows the three acceptable strategies for appropriately protecting Tier 1 asset and Tier 4 assets in a single facility.
- Secure the entire facility at the Tier 1 level
- Alternatively, the facility could secure the entire facility at a Tier 4 level, but add additional security around the Tier 1 asset to secure it at the higher level
- Another option is for the facility to secure the Tier 1 asset at a Tier 1 level, secure the Tier 4 asset at the Tier 4 level and have limited physical security measures for the facility as a whole
Overall, most facilities are implementing a mixture of facility-wide and asset-specific measures.