1 Disclaimer The following information was presented by Matthew Bettridge of the Chemical Security Compliance Division of DHS on June 12, 2007 at the 2007 Chemical Sector Security Summit in Falls Church, VA. The information contained in this presentation is for information only and should not be construed as complete for compliance purposes.

Chemical Security Assessment Tool (CSAT) June 2007 Overview Chemical Security Compliance Division Office of Infrastructure Protection National Protection and Programs Directorate

3 Chemical Security Assessment Tool (CSAT) Overview Chemical Security - The Mission Requirements in Developing the CSAT CSAT Process and Applications –User registration –Screening questionnaire (Top-Screen) –Security Vulnerability Assessment tool (SVA) –Site Security Plan (SSP) template Information Protection Status / Next Steps

4 Chemical Security – The Mission P.L requires the Department to regulate chemical facilities that present a high level of security risk with priority on highest risk facilities. The IFR must: –Identify “high security risk” facilities –Develop Risk Based Performance Standards (RBPS) for security at chemical facilities –Approve and disapprove SVA and SSP –Perform Inspections to confirm facility security is in accordance with SSP –Enforce facility compliance and seek remedies –Manage objections and appeals process –Receive, manage, store, and restrict access to Chemical-terrorism Vulnerability Information –Provide Consultations and Technical Assistance upon request

5 Chemical Security Compliance Division (CSCD) Requirements in Developing CSAT Protect facility-specific and aggregated data Collect, catalog, and segregate data from a large number of chemical facilities Support and inform the determination of a facility’s regulatory status and tier ranking Enable automation whenever practical, possible, and appropriate Integrate and operate the IT system within enterprise architecture policy mandates as well as Federal constraints imposed on regulatory data collection regimes

6 High Level View – The CSAT Process Top-Screen Security Vulnerability Assessment Security Vulnerability Assessment Site Security Plan Register CSAT Users Exempted or not covered at this time or Preliminary Facility Tier Facility Tier and Asset Specific Security Issue(s) Preliminary Approval Inspection for Final Approval Validate Facility, Preparer, Submitter & Authorizer information Notify user of CVI responsibilities and restrictions Reviewer Invited by known & trusted user

7 User Registration Registration began on April 6 th and will continue for as long as the Rule is in force Go to to registerwww.dhs.gov/chemicalsecurity Regarding Authorizers, Submitters, and Preparers –Each facility must have an Authorizer, Submitter, and Preparer –The roles may be consolidated with one person or split between three people –Each user will have a unique user name and password Reviewers invited with the Top-Screen Register prior to publication of Appendix A to ensure your facility has the full 60 days to complete the Top Screen

8 Registration Process Go to Click “Register Now” Type in Captcha Complete Submitter and Authorizer information. Click “Continue to Facility Information” Complete Facility Information On the same page complete the associated Preparer information –If another facility click “ Add Another Facility ” –If no other facilities associated with the Submitter & Authorizer click “ Complete ”

9 Example User Role Structures

10 User Information Collected

11 Adding a Facility

12 Complete the Registration Process After last facility & Preparer click “complete” Download PDF Form Sign and send to DHS with username & temp password will be sent

13 User Role Consolidation Complete a new registration New users names are created Use transfer account access to consolidate user accounts

14 CSAT User Roles Responsibility May Edit May View May Invite a Reviewer Must be an Officer or Designee Must be domiciled in US May be a Consultant Authorizer Verify and validate the appropriate individuals are assigned the appropriate CSAT User Roles NoYes No Submitter Verify and validate information being submitted is correct and accurate Yes No Preparer Complete the Top-Screen based upon their intimate knowledge of the facility Yes NoYes Reviewer Support for the Preparer, Submitter, or Authorizer NoYes NoYes

15 Top Screen: Adding a Reviewer Selecting a reviewer is optional Added by a known CSAT user May be added while the Top-Screen is active May be an existing user or new user New users sent an (no PDF for signature) Subject to the same requirements as other CSAT users

16 CSAT Users & Consultants DHS expects that consultants who assist facilities in complying with 6 CFR Part 27 are CVI authorized users. If a facility wishes to have a private consulting company support them in completing CSAT the facility may register a person as the Preparer or invite the individual as a Reviewer.

17 CVI Disclaimer All CSAT Users must accept to enter Top Screen Ensures CVI tier letters may be sent to CSAT Users

18 Top Screen: What does it do? Identifies the security issue(s) at a facility using the DHS Chemicals of Interest list: -Risk to public health and safety -Potential targets for theft and/or diversion of potential chemical weapons or explosive precursor -Reactive chemicals stored in transportation containers -Concentrated capacity, the loss of which poses a risk to the economy or to the delivery of mission critical functions Enables DHS to directly inform a facility of its status and/or preliminary tier by letter

19 Top Screen: Addresses Specific Security Issues Risk to public health & safety Release: (deaths & injuries) –In-situ release of toxics chemicals –In-situ release and ignition of flammable chemicals –In-situ release/detonation of explosives chemicals Potential targets for theft or diversion: (presence of chemical) –Chemical weapons and precursors –Weapons of mass effect –IED Precursors Reactive and stored in transportation containers: (presence of chemical) –Chemicals that react with water to generate poison gasses Critical to essential government missions: (facility specific basis) Critical to the national or regional economy: (facility specific basis)

20 Top Screen: How does public health and safety tiering work? Deaths and injuries are calculated using a variation of the EPA Risk Management Program (RMP) worst case scenario methodology DHS’s approach adjusts the RMP*Comp exposed population estimate to account for the safety perspective: –Single container breach assumption –Residential population only –EPRG-2 exposure limit –25 mile cutoff limit in RMP Comp –Uniform population density DHS estimates predictable deaths and injuries that would be considered Urgent or Priority in normal medical triage Process validated through independent expert panel

21 Post Top Screen Letter from DHS DHS letter to a facility is protected under CVI and includes: -Preliminary facility tier -Chemicals at the facility to address in the SVA -Security issue associated with the identified chemical(s) -Next steps required by the facility

22 Security Vulnerability Assessment (SVA) Follows the SVA approach established by CCPS and others –Asset Characterization: assets associated with chemicals identified in the post Top-Screen letter –Threat Characterization: specific scenarios prescribed by CSAT –Consequence Analysis: potential consequence of scenarios against identified assets –Vulnerability Analysis: security measures in place to mitigate or reduce the likelihood of success of an attack on an asset Cyber vulnerability assessment included Tier 4 facilities upload ASPs for review

23 Locating Critical Assets CSAT provides up to 1m resolution Enables a facility to upload image if necessary

24 Identify Attack Location Each critical asset is identified The location of attack is identified Judgment of preparer and submitter as to impacts Reasonableness verified during inspection

25 SVA Output Informs tier of each critical asset based on potential consequences Final facility tier based on highest asset-specific tier Generates a CVI protected letter to each facility that includes: Final facility tier Asset specific tier ranking and the associated security issue Defines the next steps required by the facility Information in post-SVA letter used by facility during CSAT SSP to identify the applicable RBPS based on asset tiers and security issues

26 Site Security Plan (SSP) Content All critical assets in the post-SVA letter must be addressed in the SSP All security measures in place or planned to achieve the applicable RBPS Review of SSPs will be prioritized based upon SVA results Facilities may upload ASPs for consideration

27 Information Protection Chemical-terrorism Vulnerability Information –Handling manual, web-based training, FAQs, and Work Products Guide available soon on websitewww.dhs.gov/chemicalsecurity –CVI User Authorization Request form and Non-disclosure Agreement Form sent to CSAT helpdesk –Unique identification # will be sent to authorized users –Being a CVI Authorized User does not constitute need to know –Presently, CSAT users agree to a disclaimer statement prior to beginning the Top Screen CVI in enforcement proceedings will be treated as classified information DHS has formally classified: –Formulas, calculations, tiering thresholds –Information that would inform terrorist targeting

28 Status and Next Steps User Registration operational Top-Screen operational SVA under development; operational in late-summer SSP under development, operational in early in 2008 Follow-on capability enhancements to CSAT –Integrated RMP*Comp calculations –Management of facility user roles by Authorizer –Personnel Surety portal to Terrorism Screening Database –Improved integration of CVI & CSAT –User suggestions?

29 Top Screen Previews Small group demonstrations are available throughout the conference Sign up for the top screen demos at the main registration table Opportunity to review the Top Screen Ask questions and get answers

30 CSAT helpdesk can assist you CSCD welcomes your comments and suggestions for improvement to CSAT