Overcoming Challenges, Finding Unexpected Benefits In CFATS

The Chemical Facility Anti-Terrorism Standards are complex and fairly disruptive. Few would argue that. The risk-based performance standards guidance alone is nearly 200 pages long, and many companies have had to re-allocate or hire staff, facilitate training and certification, and contemplate ways to re-imagine corporate processes in order to control access to chemicals of interest.

However, when all is said and done, regulators and most of the regulated seem to agree that the standards should lead to the shoring up of potential vulnerabilities that, before CFATS, often went unaddressed.

When will all be said and done? It will probably be a while yet, since as of this writing more than 2000 top-screened organizations haven’t yet received their tier letters from DHS, and even Tier 1 companies are still in the process of receiving approval for and implementing their site security plans (SSPs).

Whether you’ve only just discovered your company’s risk tier or whether you’re embarking on the final phases, it may be helpful for you to consider that there may be unnoticed benefits behind the challenges of CFATS. Members and faculty of the Security Executive Council recently shared their thoughts on some common CFATS compliance challenges and how they’ve overcome them, as well as some tips on where to look for those hidden benefits.

Who’s the Boss?
Who owns the CFATS compliance process? Who’s responsible for managing it? It’s a DHS program, so should it be global security? Risk management? Or should it be environmental health and safety, or someone else entirely?

Assigning responsibility for CFATS is one challenge many organizations face, says Chad Wehrman, senior security manager, stewardship and global enterprises for Procter & Gamble, a member of the Security Executive Council.

“It’s very helpful to know how you’re going to be involved at the early stages, so you can understand who has the ultimate authority and who the primary point of contact is,” Wehrman says. “What I would recommend is determining up front who is going to be responsible for compliance, leadership and ownership of the program.

“At P&G, we’ve worked through an internal process to determine that global security should play an active role, and we have identified others within the company who can answer the technical questions pertaining to the chemicals as we go through the process.”

Procter & Gamble manages compliance centrally from its headquarters. One staff member dedicates about 10 percent of their time to monitoring and tracking compliance stages at the company’s various regulated sites, and there are several security managers trained to perform security vulnerability assessments (SVAs) and develop SSPs.

Oilfield services company Baker Hughes takes a slightly different approach to managing compliance, according to Jose Olivarez, the company’s vice president of security, Western Hemisphere, also a Security Executive Council member.

In 2009, he hired a new team member specifically to address CFATS.

“This new global, physical and regulatory security manager leads our compliance efforts and is responsible for SVAs and methodology, and ensuring that the minimum security standards not only of CFATS but of Baker Hughes are met at any facility we have around the world,” Olivarez said.

Regardless of which functional unit holds primary responsibility for compliance, it’s crucial for the responsible function to bring in assistance and advisement from other business units, George Miserendino, owner of Triton Security Solutions and Security Executive Council faculty said member.

Miserendino has consulted with numerous companies working to achieve compliance. The former director of corporate security for Excel Energy, he has also worked with the Edison Electric Institute’s Security Committee on CFATS issues since the drafting of the standards. “The best way to approach (the compliance process) is with a cross-functional team that consists of physical security, environment, safety, site operations, and maintenance,” he said. “That’s the best model I’ve seen.”

Internal Communication and Time
As part of CFATS, DHS has implemented an information protection regime called Chemical-terrorism Vulnerability Information (CVI), which limits what information can be shared about regulated companies and their compliance processes, and with whom.

While valuable, the limitations of CVI can make internal communication difficult if they’re not handled early on, Wehrman said.

“We can’t discuss specifics with anyone at any of the sites unless they’ve been through CVI certification,” he said, so ensuring that all affected parties are certified before site visits begin is crucial for communication and saves time as well.

“We have to travel to each site and spend a day reviewing the facility prior to sitting down and completing any of the paperwork, because we have to understand the chemical, where it’s housed, how it’s protected, whether we need to add any safeguards, and whether we believe we’ll be compliant with the current status,” Wehrman said. “So the site visits are sometimes several days long, and we’ve found we have to have a team of people that will answer all the questions during the visit. Not just the security manager and the local security contact at the site; we need to have experts in IT, risk managers, environmental health and safety managers, and site chemical owners, and they need to be actively involved. So gathering the team together, scheduling the time and making sure everyone is CVI certified before we arrive can make a lot of difference in the efficiency of the site visit.”

Wehrman also notes that there is other “pre-work” that can be done before the visit to save time and ease the process, including mapping and logistical questions regarding the facility.

Dealing with the Government
Maintaining strong communication with DHS representatives during the compliance process is not always easy, but according to Miserendino, it is key to an efficient compliance process. Regulated companies aren’t the only ones under a heavy workload with CFATS. DHS is dedicating staff to analyzing top screens, evaluating and approving SVAs and SSPs, running help desk, and conducting regular audits and inspections. Sometimes communicating with the DHS field representatives poses a challenge.

“The important thing is ensuring we develop and foster a relationship with our contacts at DHS,” Olivarez said. “We do so through one-on-one sessions, being leaders and participants in security sessions and panel discussions, and being actively involved in our industry to ensure our voices and those of fellow constituents are heard for the benefit of the entire industry and the program.”

Persistence is key when communication is difficult, Miserendino said. He recommends calling DHS contacts several times to give them an opportunity to respond. If response still doesn’t come, e-mail the CFATS Help Desk and request the name of the regional CFATS supervisor.

Hidden Benefits
As promised, if these and other common challenges can be overcome, CFATS-regulated sites may be able to turn their work on the compliance process into unexpected gain for their companies. There are many side benefits to CFATS compliance.

Regular drills and exercises. CFATS RBPS 11 stipulates that companies conduct regular training commensurate with their level of risk.

“I think that’s one of the best parts of the risk based performance standards,” Miserendino said. “We’ve been encouraging annual training, drills and exercises to validate the training, as well as having formal lessons-learned and incorporating those lessons into the procedures. It’s the basis of continuous improvement.”

Better background checks. RBPS 12, personnel surety, requires background checks and appropriate credentialing for staff, third parties and visitors.

“I think they’ll get a better caliber of employee because they’ll be doing rigorous background checks,” Miserendino said, highlighting a solid business-enhancing byproduct to a basic security requirement.

Potential to improve future compliance efforts. Olivarez of Baker Hughes is using the CFATS compliance process as the jumping-off point for a new Regulatory Center of Excellence.

“I saw this coming down the road,” Olivarez said. “The U.S. and our industry are beginning to be more and more regulated on different fronts, not just chemicals, but in transportation of hazardous materials and other areas of our business.” The new manager Olivarez hired to head up CFATS compliance has a future-forward business plan of dealing with global compliance issues proactively for whatever comes next down the pike.

Internal checkup. As frustrating as CFATS compliance may be for some, it requires all regulated organizations to carefully evaluate their own processes and methods, which is something all companies should do from time to time.

“You never should get too comfortable,” Olivarez said. “The intense scrutiny that you put your facilities through forces you to look at things through a magnifying glass. Items that we may not have considered problematic in the past have been identified with clarity, and it’s helped us evaluate the fitness of our methodologies and approach to risk analysis.”

Wehrman said he agrees with Olivarez.

“We had secure controls in place, but they may have been site specific instead of focusing in on a specific chemical that could be construed as a threat,” he said. “And we can re-apply those learnings to additional facilities outside of the U.S. We can apply this standard to all our facilities globally.”

Better seat at the table. “When you deal with these kinds of complex programs, you can’t do it in a vacuum,” Olivarez said. “and the synergies you find when you bring other functions into the fold helps you enhance your security programs. We’ve been able to demonstrate value-add back to the business because in a couple of sites we’ve been able work with site management to improve the operations and processes to reduce chemicals of interest.

“Now our professionals are not just talking about just security, but how we operate the business.”

Special thanks to George Miserendino (solutions@tritonsecsol.com), who provided significant material support for this article.

About the Author

Marleah Blades is senior editor for the Security Executive Council, a problem-solving research and services organization that involves a wide range of risk management decision makers. Its community includes forward-thinking practitioners, agencies, universities, NGOs, innovative solution providers, media companies and industry groups. For more information about the Council, visit https://www.securityexecutivecouncil.com/?sourceCode=cfatsnews.

Featured

  • Gaining a Competitive Edge

    Ask most companies about their future technology plans and the answers will most likely include AI. Then ask how they plan to deploy it, and that is where the responses may start to vary. Every company has unique surveillance requirements that are based on market focus, scale, scope, risk tolerance, geographic area and, of course, budget. Those factors all play a role in deciding how to configure a surveillance system, and how to effectively implement technologies like AI. Read Now

  • 6 Ways Security Awareness Training Empowers Human Risk Management

    Organizations are realizing that their greatest vulnerability often comes from within – their own people. Human error remains a significant factor in cybersecurity breaches, making it imperative for organizations to address human risk effectively. As a result, security awareness training (SAT) has emerged as a cornerstone in this endeavor because it offers a multifaceted approach to managing human risk. Read Now

  • The Stage is Set

    The security industry spans the entire globe, with manufacturers, developers and suppliers on every continent (well, almost—sorry, Antarctica). That means when regulations pop up in one area, they often have a ripple effect that impacts the entire supply chain. Recent data privacy regulations like GDPR in Europe and CPRA in California made waves when they first went into effect, forcing businesses to change the way they approach data collection and storage to continue operating in those markets. Even highly specific regulations like the U.S.’s National Defense Authorization Act (NDAA) can have international reverberations – and this growing volume of legislation has continued to affect global supply chains in a variety of different ways. Read Now

  • Access Control Technology

    As we move swiftly toward the end of 2024, the security industry is looking at the trends in play, what might be on the horizon, and how they will impact business opportunities and projections. Read Now

Featured Cybersecurity

Webinars

New Products

  • QCS7230 System-on-Chip (SoC)

    QCS7230 System-on-Chip (SoC)

    The latest Qualcomm® Vision Intelligence Platform offers next-generation smart camera IoT solutions to improve safety and security across enterprises, cities and spaces. The Vision Intelligence Platform was expanded in March 2022 with the introduction of the QCS7230 System-on-Chip (SoC), which delivers superior artificial intelligence (AI) inferencing at the edge. 3

  • Compact IP Video Intercom

    Viking’s X-205 Series of intercoms provide HD IP video and two-way voice communication - all wrapped up in an attractive compact chassis. 3

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area. 3