Taking a Lesson in Federal Compliance from the Chemical Industry
Honeywell's Jon Harmon says the industry's response to CFATS provides a model for compliance with stringent federal security requirements
By Jon Harmon, Honeywell Process Solutions
April 09, 2009 — CSO —
In many ways, the role of the CSO is directly tied to business profitability. By creating and enforcing policies that protect human, physical and intellectual assets, the CSO ensures the very integrity of the organization. This link to the bottom line, though, is about to become much stronger—and quite possibly much sooner than anticipated.
Events occurring in the U.S. chemical-manufacturing industry, specifically those relating to security guidelines being enforced by the federal government, are likely foreshadowing what's next in line for other industries.
In 2007, the Department of Homeland Security (DHS) introduced the Chemical Facility Anti-Terrorism Standards (CFATS), a rigorous program designed to protect high-risk chemical facilities from attacks. The legislation mandates that sites identified as "high-risk facilities" implement solutions, under the guidance of Risk-based Performance Standards (RBPS), to address gaps in safety and security. Under the new Congress, there will likely be additional issues addressed that may intensify the requirements, such as the need for inherently safer technologies (ISTs) and state and local interpretations related to enforcing compliance.
The penalties for non-compliance can range from hefty fines to total plant shutdowns. Under this scenario, the CSO of today's chemical plant has never had more responsibility riding on his/her shoulders.
The chemical industry is just one of the critical sectors impacted by DHS regulations. And it's very likely that CSOs across various industries - water treatment plants, port facilities, educational and banking facilities, etc.—are/will have to deal with federal compliance issues. With this in mind, it's critical for CSOs to begin evaluating their purchasing behaviors immediately and identifying technologies that create a holistic security solution under the possibility of future enforcement. (Editor's note: See also Case Study: Security Convergence.)
So how can a CSO truly prepare his organization for a "new normal" with stringent regulations?
What to Expect
For starters, CFATS was one of the first pieces of legislation that successfully motivated chemical facilities to develop site vulnerability assessments (SVA). The premise of an SVA is quite universal in that before a site's security systems can be bolstered, the site must first understand its existing weaknesses or gaps. SVAs are designed to find those existing gaps in everything from physical security, cyber security and life-safety systems. Additionally, the SVA also prioritizes the shortcomings by determining which gaps could cause the greatest impact to the plant and surrounding community.
An SVA can take about a month or so to complete and the next step in CFATS compliance—the creation of the actual site security plan (SSP)—can take much more time. Creating an SSP requires substantial effort, focus and organizational support and often requires the assistance of expert consultants outside the organization to help understand and meet the regulation.