Home
Media
White Papers
CFATS Pre-Authorization and Authorization Inspections

The G4S CFATS Update

12 April 2011

Lessons learned from Pre-Authorization and Authorization Inspections

by Carlos Barbosa, Senior Director, G4S Secure Solutions (USA)

In October 2006, the Department of Homeland Security Appropriations Act of 2007 became law. Section 550 of the Act ordered the Department of Homeland Security (DHS) to “…issue interim final regulations establishing risk-based performance standards for security of chemical facilities and requiring security vulnerability assessments and the development and implementation of site security plans for chemical facilities.”

Those regulations became known as the Chemical Facility Anti-Terrorism Standards or CFATS and apply to “high-risk” facilities that possess certain quantities and concentrations of chemicals.

Out of all chemical facilities across the United States, as of February 2011, DHS had identified 218 Tier 1 (highest risk), 535 Tier 2, 1126 Tier 3, and 2215 Tier 4 (lowest risk) facilities. Among other documents, all facilities were required to file a Site Security Plan with DHS via a web-based tool called the Chemical Security Assessment Tool or CSAT.

It is clear now that once DHS received and started processing the SSPs from the facilities, it realized that the tool did not ask for a sufficient amount of detailed security information for DHS to fully understand the facility’s security posture.

Washington, we have a problem…

Most of the CSAT SSP only required the facilities to respond with a yes or no to questions such as “Does the facility have an emergency management team available?” and “Does the facility use the CCTV camera feature?” More detail was needed. The credibility and practicality of the regulation depended on how DHS gathered, analyzed and evaluated the required information from industry and frankly, yes and no answers can only go so far. DHS was at a crossroads.

It could have changed the tool completely and started from scratch. Some of us who have seen first-hand the amount of effort and resources applied to the process, know that this would have risen more than eyebrows in the industry.

DHS took a different route though. The Department instituted a preliminary round of inspections at all Tier 1 facilities (how this is addressed with the other tiers in the future is anybody’s guess but we have our theories) called the pre-authorization inspections or PAI. The PAIs were designed to become an extension of the SSP and find out – in person – how incomplete the CSAT SSP really was and give the facilities guidance.

The PAI process started in January 2010. The facilities are being visited by three to seven inspectors and last two to four days. The PAI is not an audit per se. It is not regulatory in nature as it is not mentioned in the law but it is giving industry the chance to get a taste of what the real Authorization Inspection will look like.

The inspectors will tour the facilities, will see firsthand the chemicals of interest or COI, will discuss with the Facility Security Officer the applicable RBPS, and will discuss the different security assets and their nature. After that, they will leave in peace. The outcome of the PAI is always the same. The CSAT will re-open and the facility will have between 20 to 45 days to re-submit the SSP with additional and more detailed information, a daunting task.

The Authorization Inspection, where the rubber meets the road

After the PAI is completed, the revised SSP is submitted and DHS gives it the OK, the real audit begins. Although only a handful of facilities have actually gone through an Authorization Inspection or AI, this is a key element of the regulation. A typical AI lasts for about a week and is staffed by six inspectors on average.

The aim of DHS is to validate the approved SSP during this inspection. The inspectors will - of course - look at obvious security measures such as the perimeter fence and the CCTV equipment but more importantly, they will evaluate less evident measures such as procedural security, training records, and security personnel screening and selection processes.

Another DHS objective is to make sure that the planned security measures identified in the SSP comply with the definition of “planned security measures” as understood by DHS. A planned security measure goes beyond an activity or investment that a plant would like to do at some point in time (this would be considered a proposed security measure and does not count towards SSP approval). A planned security measure, as defined by DHS has to be a realistic, budgeted, under development and with a completion date in the near future.

Finally, the DHS inspectors will have conversations with the security personnel at the site and will evaluate their responses to questions such as: Explain your visual inspection procedures, explain the suspicious package procedures, explain and demonstrate an undercarriage inspection process, etc. Control room operators have also been interviewed at all AIs and have been asked about the emergency notification procedures of the facilities, the shutdown procedures and worst case scenario response.

Lessons learned

After several tier 1 PAIs and a handful of AIs have been completed, a few lessons can be shared with the regulated chemical industry at large.

First of all, it is important to remember that the inspectors will not only look for the most visible security measures when evaluating your SSP. The how will be as important as the what. Procedural security, the availability of records and the intangible qualities of the security personnel will play a critical role in the approval (or not) of a facility’s SSP.

Therefore, our second lesson learned is to make the security provider at your regulated facility, a true partner during the whole CFATS process. To involve the security vendor since day one guarantees a more cohesive approach to the inspection process. Also, sophisticated security vendors can add substantial value to a facility’s security posture through the use of intelligent technologies and consulting services. Finally, make sure that the facility’s security personnel are fully trained, properly screened (in accordance with RBPS 12 Personnel Surety), and bring the right traits for the job.

The inspectors are doing their job, have you done yours?

Contact details

Carlos Barbosa (Senior Director, G4S Secure Solutions USA): 800-275-8305

About G4S

G4S Secure Solutions is a leading provider of integrated security solutions in the U.S. With 110 offices and approximately 40,000 employees across the country, G4S offers a unique combination of the security personnel, monitoring, tracking and response technologies to provide users with customized security solutions uniquely tailored to meet their needs. For more information visit: www.g4s.com/us

G4S is the world's leading security solutions group, which specialises in outsourcing of business processes in sectors where security and safety risks are considered a strategic threat. G4S is the largest employer quoted on the London Stock Exchange and has an additional stock exchange listing in Copenhagen. G4S has operations in more than 120 countries and more than 625,000 employees. For more information on G4S, visit www.g4s.com

Contact Us

Phone: 800-922-6488 (Please, no job inquiries.)
Mail: Request more information.
(For job inquiries, please visit our careers area.)

Green Options

Looking for a simple way to “Go Green”? Ask for a paperless invoice. Paperless invoicing is a core part of the G4S Secure Solutions (USA) Inc. Climate Action Program.