I'll be curious to see who comes out of the woodwork to perform the security assessments and to prepare the security plan mandated by this regulation.

This reminds me a little of the requirement that came out a few years back that mandated that water utilities over a certain size conduct threat and vulnerability assessments. The majority of the major engineering firms (CH2M Hill, URS, etc.) sent people to become certified in the approved assessment methodology (RAM-W) and suddenly became experts in security.

Our firm pursued a number of these water utility projects and won a few, but the vast majority went to engineering firms with whom the water utility already had a relationship with. As it turned out, probably 90% of these type of assessments ended up being awarded to engineering firms rather than security consulting firms.

The only consolation for me was, in a couple of instances, the water utilities called us back in to perform another security assessment after the mandated RAM-W assessment was completed by another firm. One client handed me his RAM-W report (about 3" thick) and said: "We can't understand what this report is saying; can you take a look at our facilities and tell use what we really need to do to make them more secure".

I likewise am curious as to the outcome. I would hazard a guess it will come with strings attached that only those in the chemical industry will do surveys seeing as how they will be the ones writing the survey format.
Plant A will inspect Plant B and then six months later Plant B will inspect Plant A. The implication being, "If you don't hit me hard, I won't hit you hard."
The US Navy did it for its shipyards until it became a farce. They created a separate security department who conducted the surveys/inspections with no particular format or system. When the shipyards started getting hit hard, the Navy abolished the security department.
The FAA is both cheerleader and enforcer for the federal government. If the airlines did not like the actions of FAA's inspection arm they had their lobbyists petition congress and FAA was forced to back off. Former security chiefs are out there proudly wearing their scars. I know three of them, have for years.
The same thing will happen to chemical inspections. Their lobbyists know how to ply the right member on the right committee or subcommittee and the proposed rules or regulations are dispensed with or watered down.
Remember the government's trump card, "The regulation is there, but we thought you'd be mature enough to know we didn't want it enforced." When the agency is asked what would happen if you ignored the deficiency and a problem developed, the answer would be to probably terminate you or offer you specialized retraining with the provision of keeping your mouth shut!
What is the opinion of experienced consultants with experience with the government?
Enjoy the day,
Bill

Ditto - I am curious as a non-Seppo to see how this is planned out. Sydney's main water supply consists of a catchment area consisting of thousands of square miles of creeks, tributaries and the like and it was only last 2 years that it was being fenced around the main dam with CCTV on pumphouse and the like. Again H2o Engineers were sent back to class rooms and then suddenly qualified as Security Experts and heaven help us if it hits the fan with only limited security management in their operations. (oh wait it is government controlled so we have no money for that stuff).

Great topic, SecTrainer.

Some of our medical school/ tech clients have approached us about this reg. It will be interesting to see how it plays out over time.

John

John, for those of us who do not let the client influence our report writing, this is going to be an interesting exercise. For instance, what type of response do you think we'll get when we ask the question, "Do you look for explosive devices attached to railroad tank cars or truck tankers?" or "What would consider a suspicious device attached to a railroad tank car or truck tanker?" "If found, what are your security protocols?"
John, this could be the opening of Pandora's Jar.
Enjoy the day,
Bill

Cfats

As a Security Advisor for a major integrated Oil and Gas Energy Company, I can tell you that the average Security Vulnerability Assessment (SVA) that most security consultants would conduct will not suffice to meet the requirements as set forth in the new CFATS regulations. A specific SVA methodology, which has been approved by DHS, will be the ONLY methodolgy acceptable. The only thing I will say about it is that the methodolgy is strictly a risk based approach.

For those of you who think you are going to just pull an SVA template off the shelf and use it, will be greatly surprised (or disappointed) to know that DHS will not approve any SVA submitted using any other methodolgy than the one they have approved.

I saw first hand what happened when the MTSA regulations were pushed out after 9-11 and every sort of security consultant came out of the wood work and thought they new how to do SVA's. I'm here to tell you that the consultants who know how to conduct a thorough risk based SVA are few and far between.

Why would a company pay $20,000 - $30,000 for an SVA that will not even get approved by DHS? Bottom line...you better do your home work before you jump off into an area that you know very little about.

Girls and boys, correct me if I am wrong, but for the most part aren't security surveys driven by sensitivity, criticality and vulnerability based on credible and postulated threats against persons, places or things? What does existing intelligence tell us about the place and mission we are surveying?
I've had clients develop guides or formats and I sit down with them and go over each and every item in the guide as to their and my understanding of the wording.
Example: Do you store fuel in this building? They understood the answer should be no in most of the facilities I would visit. I asked, if they have emergency generators in the building, is there a 25-gallon storage tank in the proximity of the prime mover? The answer was yes, followed by "we didn't think about that."
Will my understanding of your intent be the same as mine or will there be any differences, subtle or obvious?
Enjoy the day,
Bill

Bill I think you again summed it up quite well - people just don't think outside their own arenas. I don't know whether it is ignorance, arrogance or a combination of both plus a bit more of stupidity. I guess I could sum it all up in 1 word ....... "TITANIC". It was because of ignorance, arrogance and stupidity that this ship sank to the bottom of the ocean.

NRM_Oz, thank you for your kind remarks. I just think it is a supreme shame when a consultant puts on blinders when in the conduct of a survey. We have to think outside the proverbial box and challenge ourselves as well as the client to always ask and think, "What if, what if?
Enjoy the day,
Bill

And, as a matter of professional integrity, it is worth noting that whether there are DHS regulations involved or not, all security surveys, RMAs, etc. should be anchored to the operational features, special considerations, regulatory environment, etc. which are specific to the industry in which the client is engaged. In other words, you can't do a proper security or risk analysis without having some industry expertise as well. For consultants who are "general practitioners", this requirement can be met by including an industry expert somewhere in your survey process...if even just to review and comment on your results before they go to the client.

Of course, where there *are* stringent requirements such as those mentioned above, such must be carefully understood and the industry expert you include on the survey team would obviously play a much bigger role in the total process. There are a number of ways to find industry experts in almost any field who practice independently and who would consider teaming up with you on a project that might be beyond your own internal expertise.

Where I was working before in another p/t project, it was dealing with HAZMAT (aka Hazardous Materials). I knew basically what requirements were but I engaged a Chemical Engineer who knew the exact requirements for the safe storage, etc of the chemicals used. We also had to be audited by the HAZMAT unit of the our Firebrigade to ensure they KNEW what was exactly onsite, the likelihood of amounts and above all the WHERE it was stored and HOW it was stored.

I could never have conducted the project successfully without this experts knowledge and experience and I advised my clients of the outcome only for them to understand my limitations, but were pleased to see me advise them of my shortfalls BEFORE the project commenced. It was completed without fuss and it was successful but sometimes we need to admit "hey I don't know everything".

Please take a look at ASME's site-
http://www.asme-iti.org/RAMCAP/ then click on news.

They are working with DHS on the methodology as I read and understand it. We have had discussions with them. Training will not be available until January.

John