in this issue
Security Watch: Prepping for DHS's SSP Review
3:36 PM MST | January 11, 2010 | By STEVE ROBERTS
As Congress debates the future of Chemical Facility Anti-Terrorism Standards (CFATS)--not only to make it permanent but also to require more stringent protection measures--the Department of Homeland Security (DHS) has already assigned more than 2,000 chemical facilities to one of four final risk-tiers.
Each of these facilities must complete a Site Security Plan (SSP), essentially a data-gathering tool that does not result in an operational or functional security plan. Precisely how DHS will review the SSP and what compliance means in light of the flexibility afforded by the regulation, however, is less clear.
As a risk-based performance standard, DHS can establish security outcomes for CFATS but not the precise manner by which to achieve them. For example, all CFATS-regulated facilities must restrict the perimeter. DHS cannot prescribe how, specifically, a facility must achieve this security outcome for each risk-tier. This flexibility is welcome and will enable facilities to select the most appropriate means in which to enhance security. It also makes compliance a moving target--especially considering that the regulation is a case of first impression, which may be significantly altered by Congress through future legislation.
DHS has not offered a vision of its SSP review and adjudication process. What little is known comes directly from the regulatory text itself and requires DHS to review the SSP in a two-step process. The first part of the review is administrative and will likely assess issues such as the completeness, timeliness, and consistency of the submitted information. Assuming the facility passes administrative review, DHS will issue a Letter of Authorization and then dispatch a security inspector to conduct an on-the-ground review.
Part of this assessment likely will include confirmation of so-called "planned security measures" that the facility may have included as part of its SSP. As suggested by the term, planned security measures do not exist at the facility as of the date of the SSP submission, but will be added in the future. Accordingly, DHS reserves the right to verify that all planned security measures will, in fact, become a reality. DHS could verify them in many ways, such as reviewing a procurement contract that identifies the forthcoming security enhancements or changes. Following a successful on-site review, DHS will issue a Letter of Approval, and the facility will implement its plan.
If DHS identifies deficiencies during the initial review or on-site review, it must provide written notification that includes a clear explanation of the deficiencies. If a resubmitted SSP remains deficient, the regulation provides for a more formal adjudication process. The conclusion of formal adjudication represents "final agency action," enabling review in U.S. District Court. Indeed, given the evolutionary nature of the CFATS program, the number of SSPs that DHS expects to receive, and the inherent subjectivity of performance-based regulation, the likelihood of some good-faith disagreements is high. How this will unfold in practice remains to be seen.
Roberts is a Texas-based attorney and Chemical Week columnist who practices in chemical and transportation security law. He can be contacted at firstname.lastname@example.org.