Template for Developing an · Web viewTraining, Drills, and Guidance: Emergency preparedness is a hallmark of both the Responsible Care and Responsible Distribution initiatives. Training,

CHEMICAL-TERRORISM VULNERABILITY INFORMATION

1WARNING: This record contains Chemical-terrorism Vulnerability Information controlled by 6 CFR 27.400. Do not disclose to persons without a “need to know” in accordance with 6 CFR § 27.400(e). Unauthorized release may result in civil penalties or other action. In any administrative or judicial proceeding, this information shall be treated as classified information in accordance with 6 CFR 27.400(h) and (i).

This template is not CVI until a user begins to populate it with Chemical-terrorism Vulnerability Information as defined by DHS. Please delete this text box as soon as the resulting document contains CVI.


CFATS Alternate Security ProgramCompany NameFacility Name

Table of Contents

Prologue: Responsible Care/Responsible Distribution - Enhancing CFATS Compliance.....3

1. Facility Identification and Terminology...............................................................................5

2. Facility Operating and Security Organizations (RBPS 17)................................................5

3. Chemicals of Interest (COIs)/Security-Vulnerability Issue (All RBPSs)..........................6

4. CFATS Compliance Time Line.............................................................................................6

5. Facility Description (RBPS 1, 2)............................................................................................7

6. Perimeter Security (RBPS 1, 2, 3, 4, 6*, 7*).........................................................................7

7. Access Control (RBPS 1, 2, 3, 4, 5, 6*, 7*, 12)......................................................................7

8. Security Monitoring & Response (RBPS 1, 2, 4, 6*, 7*, 9, 11, 15, NOT RBPS 10)..........8

9. Emergency Response and Contingency Operations (RBPS 4, 7*, 9, 11)...........................9

10. Shipping and Receiving (RBPS 5, 6*, 7*, 9, 11).................................................................9

11. Theft (RBPS 6)....................................................................................................................10

12. Sabotage/Contamination (RBPS 7)...................................................................................10

13. Cyber Security (RBPS 8)....................................................................................................11

14. Security Equipment Inspection, Testing & Preventive Maintenance (RBPS 10).........14

15. Training (RBPS 8, 9, 11, 16)..............................................................................................14

16. Personnel Surety (RBPS 12)..............................................................................................15

17. NTAS Threat Escalation, Specific Threats (RBPS 13, 14)..............................................15

18. Security Incident Identification, Reporting & Investigation (RBPS 8, 15, 16).............16

19. Recordkeeping (RBPS 18)..................................................................................................16

20. SSP/ASP Audits..................................................................................................................17

21. Planned and Proposed Security Measures.......................................................................17

22. Attachments.........................................................................................................................17

Sections address RBPs listed in the section titles. Underscore signifies primary emphasis. Asterisk signifies applicability only if facility is tiered for that issue (theft or sabotage).



Prologue: Responsible Care/Responsible Distribution - Enhancing CFATS Compliance

BACKGROUNDMember companies of the American Chemistry Council (ACC) and the National Association of Chemical Distributors (NACD) are committed to continuous security improvement through their respective industry programs; Responsible Care and Responsible Distribution. Implementation of these programs is mandatory for all members of ACC and NACD. These programs address physical site, supply chain, and cyber security at all member locations, as well as other membership requirements. As a result, ACC and NACD members are required to conduct Site Security Vulnerability Assessments using approved methodologies and implement security measures that are verified by credible and independent third parties.

Industry programs can be leveraged by state and federal regulators through regulatory recognition. By recognizing compliance under an industry program, regulators can apply credit toward compliance with a regulatory program where the same elements overlap. Some current examples where an industry program has been recognized includes the City of Baltimore and the state of Maryland, where operators in those jurisdictions can substitute Responsible Care compliance for certain security regulations. Industry programs can also be used as a basis for alternative compliance programs, as in the case of the Coast Guard MTSA Alternate Security Plan (ASP).

ACC and NACD members have been able to leverage implementation of their respective industry programs to help them meet the regulatory requirements of CFATS, since these programs are highly consistent and complement one another. For purposes of completing this ASP for CFATS compliance, DHS reviewers should give consideration to ACC and NACD members’ commitment and proactive leadership to enhancing security across all facets of their operations.

HOW THE RESPONSIBLE CARE AND RESPONSIBLE DISTRIBUTION SECURITY CODES WORKACC and NACD’s Security Codes are very similar in content and expectations from their member companies. Each has 13 management practices or elements that require member companies to conduct comprehensive security vulnerability assessments (SVAs) and implement security enhancements under a strict timeline, using methods approved by nationally recognized security experts. Companies also must obtain independent verification to prove they have made required physical site security measures identified during the SVA.

Prioritization and Assessment of SitesCompanies initially prioritize their facilities according to a four-tier system based on vulnerability and then conduct SVAs at all facilities.

Implementation of Security MeasuresAfter completing the SVA process, companies implement security enhancements to control or mitigate identified risks to facility, cyber and value chain security, based on a set of security management practices.

Protecting Information and Cyber-Security: Safeguarding information and process control systems is a critical component of sound security management and an essential part of the ACC and NACD Security Codes.



Training, Drills, and Guidance: Emergency preparedness is a hallmark of both the Responsible Care and Responsible Distribution initiatives. Training, drills, and guidance enhance security awareness and capabilities across the business of chemistry.

Communications, Dialogue, and Information Exchange: The Security Codes emphasize cooperation among chemical producers, distributors, customers, suppliers, and shippers and establishing and maintaining a constructive, consistent dialogue with government agencies.

Response to Security Threats and Incidents: Companies evaluate, respond, report, and communicate security threats as appropriate and have a process in place to respond to incidents and take corrective action.

Continuous Improvement: ACC and NACD Security Codes include planning, establishing goals and objectives, monitoring progress and performance, analyzing trends, and developing and implementing corrective actions.

Independent Review: Facilities undergo independent audits by third-party individuals and organizations to assure that necessary security enhancements are in place.

For more detailed information about ACC and NACD Security Codes, please refer to: http://responsiblecare.americanchemistry.com/Responsible-Care-Program-Elements/Responsible-Care-Security-Code and http://www.nacd.com/default/assets/File/nacd_securityflyer_september2013.pdf.


http://www.nacd.com/default/assets/File/nacd_securityflyer_september2013.pdf

http://responsiblecare.americanchemistry.com/Responsible-Care-Program-Elements/Responsible-Care-Security-Code

http://responsiblecare.americanchemistry.com/Responsible-Care-Program-Elements/Responsible-Care-Security-Code


1. Facility Identification and Terminology

CSAT Facility ID No.: Facility Name: General and Facility-Specific Acronyms and Terminology

CCTV Closed-circuit television (security/process cameras)CA Critical Asset (see RBPS Guidance p. 16 for Critical Assets)CDRA CFATS-Designated Restricted Area (see RBPS Guidance p. 16 for Restricted

Area)DCS Distributed Control SystemICS Industrial Control SystemIDS Intrusion Detection SystemMOU Memorandum of Understanding, typically with a local, regional or state law

enforcement or emergency response entity laying out the division of security and response responsibilities between the facility and agency

PCS Process Control System

ERP Enterprise Resource Planning software – computer software for tracking, for example, materials received, shipped and in inventory

SCADA Supervisory Control and Data Acquisition -- Other Facility Specific Acronyms --

2. Facility Operating and Security Organizations (RBPS 17)

Operating and Security Roles

o Owner/Operator or Designate

NameTitleTelephonesEmail

o Corporate Security Officer

NameTitle/responsibilityTelephonesEmail



o Facility Security Officer


o Alternate Facility Security Officer


o Cyber Security Officer


o Facility Plant Manager


3. Chemicals of Interest (COIs)/Security-Vulnerability Issue (All RBPSs)

The measures in the ASP apply to the following COIs and associated security issues as per the Final Tier Letter:

Name CAS# Security Vulnerability Issue Tier Process

“Process” indicates the facility processes relevant to the COI: Rc=receive, M=manufacture, Sh=ship, Sl=sell

4. CFATS Compliance Time Line

Date of last Top Screen submission Month dd, yyyy

Date of last SVA submission Month dd, yyyy

Date of Final Tier Letter Month dd, yyyy

[Date of Compliance Assistance Visit Month dd, yyyy]

[Date of Request for Redetermination Month dd, yyyy]6

WARNING: This record contains Chemical-terrorism Vulnerability Information controlled by 6 CFR 27.400. Do not disclose to persons without a “need to know” in accordance with 6 CFR § 27.400(e). Unauthorized release may result in civil penalties or other action. In any administrative or judicial proceeding, this information shall be treated as classified information in accordance with 6 CFR 27.400(h) and (i).


5. Facility Description (RBPS 1, 2)

Locale and total acreage Buildings and storage areas (names, descriptions, square footage) Facility-based, asset-based or hybrid protection approach Security Guard personnel CFATS-Designated Restricted Areas (CDRAs)

o Description Critical Assets (CAs)

o Description Special Considerations

o Google Earth or similar aerial image Facility diagram showing perimeter, access points, CDRA’s, Critical Assets, and the location

of COIs in relationship to these components

6. Perimeter Security (RBPS 1, 2, 3, 4, 6*, 7*)

The facility employs a process for limiting access to the facility and/or to CDRAs.

Security Barriers, Perimeter Fence and Top Guard (qualitative description)/ Perimeter Structures.

Topographical or landscaping barriers Vehicle barriers Signage Clear zones Lighting Perimeter security measures (i.e., personnel, intrusion detection, cameras, other to

include monitoring frequency) CDRA security measures (i.e., personnel, intrusion detection, cameras, other to include

monitoring frequency)

7. Access Control (RBPS 1, 2, 3, 4, 5, 6*, 7*, 12)

The facility employs a process for controlling access to the facility and screening selected persons and vehicles seeking access to CDRAs.

Gates/ portals/ access points o Motor vehicle o Rail o Personnel o Emergency



Signage Key/lock/combination and access credential control program Facility Personnel (Employee/Contractor) Identification Verification and Access

Measures (see also Section 16 for Personnel Surety):o Identification verification method (personnel based and/or electronic access control

system)o Screening and Inspections

Visitor Identification and Processing o Identification verification (personnel based and/or electronic access control system)o Identification badges o Sign-in sheetso Screening and Inspectionso Escorting/ restricted zones

Vehicle Identification and Access Measures (inbound/outbound)o Driver credentials (e.g., Photo ID, HazMat endorsement)o Vehicle Identificationo Screening and inspectiono System controls (e.g., swipe card logging)o Facility/CDRA parking restrictions, proximity to COI if theft/diversion (i.e., signage or

barriers)

8. Security Monitoring & Response (RBPS 1, 2, 4, 6*, 7*, 9, 11, 15, NOT RBPS 10)

See also Section 18 - Security Incident Identification, Reporting & Investigation

The facility monitors each CDRA and CA to detect unauthorized adversary actions towards Final Tier Chemicals of Interest. The facility has a process in place to rapidly and efficiently report security incidents to the appropriate entities (e.g., corporate management, local law enforcement, local emergency responders, DHS).

Security Measures and Operations (Examples: intrusion detection systems (IDS), CCTV, Personnel Coverage)o Overview

General Backup power

o Coverage (be brief) Perimeter Access points Storage area Loading / unloading area



CDRA’s / CA’so Monitoring

Frequency of monitoring Who monitors Recording capability Notifications

o System descriptions Security Operations

o Security monitoring, response and reporting processo External notifications

o Security Response – See also Section 18o Proprietary or contracted response forceso Coordination with local, state, or federal law enforcement

9. Emergency Response and Contingency Operations (RBPS 4, 7*, 9, 11)

The facility has a documented crisis management plan that details how the facility will respond to an emergency and has demonstrated its ability to implement the plan through drills and exercises.

Internal Emergency Notification Systemso Back-up powero Alarm systems and/or types of notificationso Communication systems, primary and backup

Process Safety Mitigation (as it relates to CFATS and protection of COI) [guidance: this may not be applicable to warehouse operations unless there are process systems in place]

Crisis Management Plan Overviewo Site emergency planso Corporate supporto List of responding police and fire agencies and contact informationo Does the facility share its plan with local law enforcement or responders?o Community notification

Contingency Operations of Safety and Security Systems

10. Shipping and Receiving (RBPS 5, 6*, 7*, 9, 11)

The facility has vehicle identification and entry authorization, shipping, and control procedures.

Shipping and Receiving Overviewo Materials received and shipped -



o Shipment verification (inbound and outbound)o Carrier/driver identificationo Response to “Unknown Carrier”

Customer Qualification “Know your Customer” Program Transportation (into, leaving and within facility)

o Carrierso Equipment utilizedo On-site storage/staging/parking procedureso Security coverage

11. Theft (RBPS 6)

(Responses related to RBPS 6 are only required for facilities tiered for theft/diversion)

Since the facility has not been tiered for theft/diversion, it does not specifically address security measures for theft in this ASP.

OR

The facility has security measures that reduce the likelihood of theft or diversion of COI.

Scope COI Storage Area

o Location within facilityo Construction/physical securityo Located in a CDRA?o Access control and inspections (personnel and vehicles)o Monitoring (including personnel, vehicle and rail access points)o Inventory control (frequency of reconciliation)

12. Sabotage/Contamination (RBPS 7)

(Responses related to RBPS 7 are only required for facilities tiered for Sabotage/Contamination)

Since the facility has not been tiered for sabotage/contamination, it does not specifically address security measures for sabotage/contamination in this ASP.

OR

The facility has security measures that reduce the likelihood of sabotage or contamination of COI.

Scope



Sabotage Procedures and Tampering Prevention/Detectiono Processes for detection of tamperingo Tamper evident packaging, containers, seals or locks

COI Storage Areao Location within facilityo Construction/physical securityo Located in a CDRA?o Access control and inspections (personnel and vehicles)o Monitoring (including personnel, vehicle and rail access points)o Inventory control (frequency of reconciliation)

13. Cyber Security (RBPS 8)

The facility has in place cyber security policies, procedures, and measures that result in deterring cyber sabotage, including by preventing unauthorized onsite or remote access to critical process controls, critical business systems, and other sensitive computerized systems.

Components/systems affecting COIs Cyber Security Policies

o Cyber Security Policies, Plans and Procedures - - The facility has documented and distributed cyber security policies and/or procedures (including a change management policy) commensurate with the facility’s current IT operating environment.

o Cyber Security Officials - The facility has designated one or more individuals to manage cyber security who can demonstrate proficiency through a combination of training, education, and/or experience sufficient to develop cyber security policies and procedures and ensure compliance with all applicable industry and governmental cyber security requirements.

Access Controlo Systems Boundaries - The facility has identified and documented systems boundaries

(i.e., the electronic perimeter) and has implemented security controls to limit access across those boundaries.

o External Connections - The facility has established and documented a business requirement for every external connection to/from its critical systems, and external connections have controls that permit access only to authorized and authenticated users.

o Least Privilege - The facility practices the concept of least privilege. o Remote Access and Rules of Behavior - The facility has defined allowable remote access

(e.g., Internet, VPN, modems) and rules of behavior. Those rules describe user responsibilities and expected behavior with regard to information system usage, to



include remote access activities (e.g., appropriate Web sites, conduct of personal business).

o Password Management - The facility has documented and enforces authentication methods (including password structures) for all administrative and user accounts. Additionally, the facility changes all default passwords and ensures that default passwords for new software, hardware, etc., are changed upon installation. In instances where changing default passwords is not technically feasible (e.g., a control system with a hard-coded password), the facility has implemented appropriate compensating security controls (e.g., physical controls).

Personnel Securityo Criticality Sensitivity Review - the facility has reviewed and established security

requirements for positions that permit access to critical cyber systems. o Unique Accounts - The facility has established and enforces unique accounts for each

individual user and administrator, has established security requirements for certain types of accounts (e.g., administrative access to the system), and prohibits the sharing of accounts. In instances where users function as a group (e.g., control system operators) and user identification and authentication is role based, then appropriate compensating security controls(e.g., physical controls) have been implemented.

o Separation of Duties - IT management, systems administration, and IT security duties are not performed by the same individual. In instances where this is not feasible, appropriate compensating security controls (e.g., administrative controls, such as review and oversight) have been implemented.

o Access Control Lists - The facility maintains access control lists, and ensures that accounts with access to critical/sensitive information or processes are modified, deleted, or de-activated in a timely manner for personnel who leave the company, complete a transfer into a new role, or incur a change in responsibilities.

o Third-party Cyber Support - The facility ensures that service providers and other third parties with responsibilities for cyber systems have appropriate personnel security procedures/practices in place commensurate with the personnel surety requirements for facility employees.

o Physical Access to Cyber Systems and Information Storage Media - The facility has role-based physical access controls to restrict access to critical cyber systems and information storage media.

Awareness and Trainingo Cyber Security Training - The facility ensures that employees receive role-based cyber

security training on a regular annual basis that is applicable to their responsibilities and within a reasonable period of time of obtaining access to the facility’s critical cyber systems. (See Section 15)

Cyber Security Controls, Monitoring, Response, and Reporting 12



o Cyber Security Controls - The facility has implemented cyber security controls to prevent malicious code from exploiting critical cyber systems, and it applies appropriate software security patches and updates to systems as soon as possible given critical operational and testing requirements.

o Network Monitoring - The facility monitors networks for unauthorized access or the introduction of malicious code and logs cyber security events, reviews the logs weekly, and responds to alerts in a timely manner. Where logging of cyber security events on their networks is not technically feasible (e.g., logging degrades system performance beyond acceptable operational limits), appropriate compensating security controls (e.g., monitoring at the network boundary) are implemented.

o Incident Response - The facility has defined computer incident response capability for cyber incidents.

o Incident Reporting - Significant cyber incidents are reported to senior management and to the DHS’s US-CERT at www.us-cert.gov.

o Safety Instrumented Systems – The facility’s SISs have no unsecured remote access and cannot be compromised through direct connections to the systems managing the processes they monitor. OR The facility does not have Safety Instrumented Systems.

Disaster Recovery and Business Continuity o Post-Incident Measures - The facility’s alternate facility operations and primary facility

recovery/reconstitution phases have cyber security measures (and temporary compensatory measures as needed) consistent with those in place for the original operational functions.

System Development and Acquisition o Systems Life Cycle - The facility integrates cyber security into the system life cycle (i.e.,

design, procurement, installation, operation, and disposal). The facility has established security requirements for all systems and networks before they are put into operation and for all operational systems and networks throughout their life cycles.

Configuration Management o Documenting Business Needs - The facility has documented a business need for all

networks, systems, applications, services, and external connections. o Cyber Asset Identification – The facility has identified hardware, software, information,

and services and has disabled all unnecessary elements where technically feasible. The facility also has identified and evaluated potential vulnerabilities and implemented appropriate compensating security controls.

o Network/ System Architecture - The facility has an asset inventory of all critical IT systems.

Audits



o Audits - The facility conducts periodic audits that measure compliance with the facility’s cyber security policies, plans, and procedures and reports audit results to senior management.

14. Security Equipment Inspection, Testing & Preventive Maintenance (RBPS 10)

(This section addresses the RBPS referred to as “Monitoring,” which is separate and distinct from the monitoring of security systems for the detection of adversary actions.)

The facility has a written plan to regularly inspect, test, calibrate and maintain security systems.

Site Practices For Inspection, Testing And Preventive Maintenance Of Security Equipmento Overview of process for each security system (gates, cameras, DVR, alarms, IDS,

lighting) Testing, inspection and preventive maintenance for each Temporary compensatory measures during outages Prompt reporting of systems failures and outages to appropriate personnel, including

as needed the FSO/AFSO, to implement temporary compensatory measures Certification and activity logging of 3rd party maintenance providers

Record-keeping – See Section 19

15. Training (RBPS 8, 9, 11, 16)

The facility has a documented security awareness and training program for employees.

Initial and periodic security training is integrated into existing staff training processes, such as those required for DOT HazMat security training.

Roles and responsibilities of CSO, FSO, AFSO and other designated CFATS roles are communicated prior to or within ____ weeks of individuals assuming those roles.

Depending on roles, training focus areas may includeo Threat profile overviewo CFATS-designated restricted areaso Security incident responseo Detection of suspicious activity and evidence of theft or tamperingo Cyber security awareness and processeso Reporting of security incidentso Investigation and documentation of security incidentso DHS NTAS threat alert responseo Emergency Response and Crisis Management, including drills and exercises



o External agency interfaceso Any specific threats communicated by the Assistant Secretary

Record-keeping – See Section 19

16. Personnel Surety (RBPS 12)

The facility has processes, procedures and/or systems to perform appropriate background checks on and ensure appropriate credentials for facility personnel, and, as appropriate, for unescorted visitors with access to restricted areas or critical assets, including:

(i) Measures designed to verify and validate identity; (ii) Measures designed to check criminal history; (iii) Measures designed to verify and validate legal authorization to work; and (iv)Measures designed to identify people with terrorist ties

All facility personnel and unescorted visitors with access to CDRA’s or critical assets must have background checks performed.

Overview of Background Check program:o Processes for new and existing employees, including frequency (annual, only upon hire,

etc.) Verification of social security number Criminal history check-(Federal, State or Local) USCIS Form I-9 check Additional checks deemed appropriate and necessary

o Disqualifying criteriao Process for contractors requiring unescorted access to CDRA’s or critical assets

Screening for Terrorist Ties: o The facility will have a documented process to comply with the CFATS requirements for

screening individuals against the Terrorist Screening Database (TSDB), within a reasonable time after such requirements are established and communicated by DHS.

17. NTAS Threat Escalation, Specific Threats (RBPS 13, 14)

The facility has a documented process for rapidly implementing an increased security posture in response to DHS NTAS threat alerts and other communications from the Assistant Secretary, and has the ability to carry out that process in a timely manner.

Overview of threat escalation procedureso Process for response to NTAS System threat level changes, with time line

Communications from DHS



o At such time as the Assistant Secretary may communicate threats, vulnerabilities or risks specific to this facility, the facility owner/operator will review and update security measures commensurate with the information provided.

18. Security Incident Identification, Reporting & Investigation (RBPS 8, 15, 16)

See also Section 8 – Security Monitoring & Response

The facility has written procedures and related personnel training that identify the types of incidents to report, the process for reporting these incidents, to whom these incidents should be reported, and who is responsible for reporting such incidents. The facility may investigate selected security incidents to identify and potentially implement lessons learned.

Examples of the types of incidents or events that may be qualified as reportable security incidents

Overview of Security Incident Processeso Internal and external reporting processes; external reporting may include local, state and

federal agencies as the situation warrants. Examples include: EMERGENCY -- 911 Local law enforcement NICC – see http://www.dhs.gov/national-infrastructure-coordinating-center

Email: [email protected] Phone: (202) 282-9201

DHS US-CERT (for cyber incidents) – see https://www.us-cert.gov/ Email: [email protected] Phone: (888) 282-0870

FBI – see https://www.us-cert.gov/ http://www.fbi.gov/report-threats-and-crime or http://www.fbi.gov/contact-us/

Regional fusion centers – see https://nfcausa.org/default.aspx/MenuItemID/131/MenuGroup/Public+Home.htm

o See attached template for incident reporting, listing types of incidents, agencies to be contacted for each type, and responsibility for reporting.

o Roles and Responsibilitieso Recordkeeping – see Section 19o Investigation process, including lessons learned and how implemented

19. Recordkeeping (RBPS 18)

The facility develops and retains CFATS-related records as per 6 CFR 27.255, using guidance provided in the Revised Procedural Manual for Safeguarding CVI (2008).

Minimum three year retention:16


https://nfcausa.org/default.aspx/MenuItemID/131/MenuGroup/Public+Home.htm

http://www.fbi.gov/contact-us/

http://www.fbi.gov/report-threats-and-crime

https://www.us-cert.gov/

mailto:[email protected]

https://www.us-cert.gov/

http://www.dhs.gov/national-infrastructure-coordinating-center


o Training - date and location of each training session, time of day and duration of each session, a description of the training, the name and qualifications of the instructor, a list of attendees (including each attendee’s signature and a unique identifier), and the results of any evaluation or testing.

o Drills and exercises - the date held, a description of the drill or exercise, a list of participants, a list of equipment (other than personal equipment) tested or employed in the exercise, the name(s) and qualifications of the exercise director, and any best practices or lessons learned that may improve the Alternate Security Plan.

o Incidents and breaches of security - date and time of occurrence, location within the facility, a description of the incident or breach, the identity of the individual(s) to whom it was reported, and a description of the response.

o Maintenance, calibration, testing of security equipment - date and time, name and qualifications of the technician(s) doing the work, and the specific security equipment involved for each occurrence of maintenance, calibration, and testing.

o Security threats - date and time of occurrence, how the threat was communicated, who received or identified the threat, a description of the threat, to whom it was reported, and a description of the response.

o SSP audits (including those required under §225(e)) and SVA audits - a record of the audit, results of the audit, names(s) of the person(s) who conducted the audit, and a letter certified by the covered facility stating the date that the audit was conducted. (SSP is taken to mean the combined SSP General Information/ASP as authorized.)

o Letters of authorization and approval - The facility retains all Letters of Authorization and Approval from DHS and documentation identifying the results of audits and inspections conducted pursuant to §27.250.

o Documentation of results of inspections and audits under 6 CFR 27.250 – a copy of the inspection report as provided by DHS

Minimum six year retentiono Top Screens, Security Vulnerability Assessments, Alternate Security Program,

Alternative Security Plan, and related correspondence, including Requests for Review and Requests for Redetermination

20. SSP/ASP Audits

The facility conducts annual audits of its compliance with the SSP/ASP and maintains records as per Section 19 of this ASP as required under 6 CFR 27.225(a)(6)

21. Planned and Proposed Security Measures

Planned Security Measures Proposed Security Measures



22. Attachments

Drawings/Diagramso Overall facility diagram, showing location of COI in relationship to perimeter, access

points, and CDRAs.o Other diagrams

Photos and Other Illustrationso Photo “Album”o Additional illustrations

Reference List of Policies, Practices, or Standard Operating Procedures Templates (Record-keeping, Incident reporting) Memoranda of Understanding (MOUs) with local law enforcement and other first

responders – see Section 1 – Facility Identification and Terminology


This template is not CVI until a user begins to populate it with Chemical-terrorism Vulnerability Information as defined by DHS. Please delete this text box as soon as the resulting document contains CVI.

Documents

Template for Developing an · Web viewTraining, Drills, and Guidance: Emergency preparedness is a hallmark of both the Responsible Care and Responsible Distribution initiatives. Training,