A Conversation with Frank Pisciotta
Frank Pisciotta is the president of Business Protection Specialists Inc., a security consulting firm that works in a number of different verticals, including chemical security. We sat down with him to find out the on-the-ground view of CFATS compliance.
Q. Tell me about what your firm does to help facilities become CFATS-compliant.
A. We are a physical and technical security consulting firm, and we’ve been working in the chemical sector for about 21 years. As far as CFATS goes, we work alongside clients of all different sizes and types to help them achieve regulatory compliance, complete their security vulnerability assessment, develop their site security plan, and train facility security officers to comply and designing security programs. We do the front-end engineering and design to enable companies to understand what compliance with the regulations is going to cost them as soon as their plans are approved.
Q. Where in the compliance process are a lot of the facilities you are working with?
A. There are probably somewhere between five and six thousand regulated facilities in the U.S. Most have received their final determination letters, though there are still still a few a hundred that haven’t. The issue really is that DHS is understaffed for the amount of work they have to do to meet up with the regulations. While there are only five to six thousand facilities regulated, they received 38,000 topscreens from organizations with chemicals of interest. So they’ve had to wade through all of that.
The law also provides a provision to request a redetermination of your initial determination, and anyone who can get out of having to comply with this law is going to try as hard as they can to do so. So DHS has had thousands of requests for redetermination. This has slowed DHS down in terms of getting through the SSP reviews.
DHS will also tell you that their data collection tool didn’t serve them the way they thought they did – it wasn’t thorough enough. So now they have to go back to their Tier-One facilities to ask them to more clearly interpret the information that they’ve submitted. It seems that there’s one delay after another here, which means there aren’t very many companies that have SSPs approved and in place. Of the 60 facilities that we’re working with right now, none have received approval yet.
Q. What are some common challenges that facilities you’re working with are facing?
A. Prior to CFATS, you had companies that arguably had adequate security programs for their security design basis. If you looked at all the criminal threats, insider threats, workplace violence threats they faced, companies were fairly well put together to address those types of threats. When the government comes along and says, “You now have to contend with highly motivated adversaries and terrorists,” all of that drops, and you essentially have to start building your security program from the ground up again.
Also, DHS isn’t done figuring out how they’re going to implement all of this stuff. For example, there’s a requirement that people with unlimited access to these chemicals of interest undergo a terrorist background screening. But DHS doesn’t know what system they want people to use to screen these people yet.