OFFICIALS from the US Coast Guard and Department of Homeland Security provided updates on Marine Transportation Security Act (MTSA) and Chemical Facility Anti-Terrorism Standards (CFATS) issues in the session “Terminal Facility Security Update: What You Need to Know” during the International Liquid Terminals Association’s 39th annual International Operating Conference.
MTSA updates covered the status of the Transportation Worker Identification Credential (TWIC) reader rule, seafarer’s access and new guidelines for risk-based inspections, among other items; and CFATS updates included reauthorization status, new terrorist screening provisions and current areas of emphasis.
Cmdr Charles Bright, chief of the US Coast Guard’s cargo and facilities division, delivered the MTSA information, and Amy Graydon, deputy director for DHS’s infrastructure security compliance division, supplied the CFATS update.
“It’s been a busy year in the last 12 months, and it’s going to be a busy next 12 months with a lot of things going on,” said attorney and moderator Steve Roberts, a chemical security expert with Roberts Law Firm.
Recent CG-FAC policy letter 19-03, signed March 19, outlines regulatory and policy requirements and risk considerations for facility inspections, providing guidance to captains of the port (COPTs) in determining how often to conduct facility inspections. Bright said the new internal policy underscores the Coast Guard’s move toward risk-based inspections, where the COPT has the authority to set an inspection schedule.
Bright said he expects some ports to move to risk-based inspections immediately, with others taking a more measured approach to the transition, and terminal operators should begin having discussions with their COPTs.
“With our decreasing budgets and personnel, we’re looking to provide them with a little flexibility to say, ‘Hey, we don’t need to look at the good facilities every year. We want to look at the bad facilities a little more often,’” he said. “There really was no policy out there, previous to this one, that said you could do that.”
Fewer regular inspections, and less of the associated paperwork, also will free up the Coast Guard to observe facility operations more often and use more transfer monitors for monitoring product transfers and other operations, including tank cleaning, Bright said.
The Coast Guard currently is working on updating the Certificate of Adequacy (CoA) program, which is governed by internal guidance from the 1980s. Bright said they’ll need up to two years to complete the process, but CoAs still must be in place for terminals to receive ships—and it’s up to terminal operators to secure them.
“If you say you have a Certificate of Adequacy, but you pass it off to an agent to do all the coordinating, the agent is not the one who owns that Certificate of Adequacy,” he said. “That is for the port or terminal. If you provide the proper tools for them to get it done, that’s fine. If you have a problem, the ship can’t offload and it gets reported to us, we’re coming to the person who owns the Certificate of Adequacy.”
Other updates covered API standards, MTSA 105 facilities, seafarers’ access and the status of the controversial TWIC reader rule.
API standards incorporated into policy letters 18-02 and 18-03 allow for the use of the API 570 Piping Inspection Code for in-service pipeline testing for liquified hazardous gases. Terminals can use the standards to implement their own inspection regimes, Bright said, but “you have to implement fully, and ... prove to us that you’re doing it.”
An amendment to the SAFE Port Act in late 2018 says MTSA 105 facilities must “periodically, but not less than one time per year, conduct a risk-based, no-notice facility inspection to verify the effectiveness of each such facility security plan.” Now, instead of two security inspections required per year, the Coast Guard is down to one, with more allowed by not required. These inspections can be announced or unannounced, and their scope can change based on facility risk, Bright said.
The final rule for seafarers’ access, which requires owners or operators of maritime facilities regulated by the Coast Guard to provide seafarers timely, no-cost access to their facilities, was signed in April and went into effect in May. Access procedures must be addressed in all facility security plans by February 2020 and fully implemented by June 2020, Bright said.
As for TWIC and TWIC readers, the Homeland Security Operational Analysis Center (HSOAC) still was assessing the program as required by the TWIC Accountability Act signed by President Trump last August, but Bright expected the assessment to conclude this summer. The Coast Guard then will incorporate the report into any rule-making processes going forward.
“If you want to implement TWIC and TWIC readers, go right ahead,” Bright said. “It’s up to you. We are even researching some of the impacts of TWIC within our own organization. To get a merchant marine license credential, you have to be able to get a TWIC, so we have other things that we’re concerned about, and where we’re going to go from there.”
Graydon opened by emphasizing the importance of the reauthorized CFATS program, which seeks to improve chemical facility security and guard against terrorists who want to steal or divert chemicals for nefarious activities.
“The threat of a terrorist attack using chemicals is as real and relevant today as it ever has been, and certainly adversaries seek to use the types of chemicals covered by the Chemical Facility Anti-Terrorism Standards program to do us harm,” she said.
DHS monitors 322 chemicals of interest through CFATS, but if a terminal’s chemical of interest (COI) is gasoline, the operator doesn’t need to complete a Top-Screen survey, Graydon said, which is the online tool for reporting chemical holdings. However, if a chemical is a separate stock feeding into the gasoline, the Top-Screen is required.
CFATS reauthorization, approved in January through an 18-month bipartisan effort, extended the program through April 2020, so DHS is working with Congress and stakeholders to secure longer-term authorization. But Graydon cautioned that non-compliant facilities, perhaps hoping to wait out the program, can be fined up to $34,871 per day, per violation—an enforcement tool she said DHS will “bend over backward” not to use.
Top-Screens are utilized to determine CFATS risk, which here is a function of threat, vulnerability and consequence. Facilities are assigned a “not high risk” or “high risk” designation and placed in one of four tiers, with Tier 1 for the highest risk. Tier 1 facilities must perform vulnerability assessments and develop plans to meet 18 DHS performance standards. After approval, DHS performs regular compliance inspections.
The 18 risk-based performance standards, which DHS considers best practices, all are related to the themes of detection, delay, response, cybersecurity and security management. They are:
• Restrict area perimeter
• Secure site access
• Screen and control access
• Deter, detect, delay
• Shipping, receipt and storage
• Theft and diversion
• Personnel surety
• Elevated threats
• Specific threats, vulnerabilities or risks
• Reporting significant security incidents
• Significant security incidents and suspicious activities
• Officials and organization
DHS currently tiers 3,325 CFATS facilities out of 40,000 Top-Screens submitted by unique facilities, Graydon said. Most are in Tiers 3 and 4 (3,077 facilities combined), primarily for theft and diversion, and 166 are in Tier 1.
“We have done a lot with cyber, and it’s really how the cyber system interacts with the chemical of interest,” Graydon said. “So for theft-and-diversion chemicals, we’re looking at the cyber systems that relate to inventory, (and) for release facilities, it could be that the cyber system is a SCADA system as it relates to the chemical of interest. So the program is flexible enough to address the risk based on the type of facility and the chemical of interest you have.”
Graydon also highlighted personnel surety program (PSP) changes, terrorist screening provisions and CFATS progress, including measures to streamline reporting.
The DHS’s PSP, or Risk-Based Performance Standard 12, contains four parts, and the first three (verify and validate identity, check criminal history, and validate legal authorization to work in the US) have applied to all facilities since 2015. The fourth identify people with terrorist ties, currently applies only to Tier 1 facilities, but DHS recently received approval to implement the check for Tiers 3 and 4.
“Our plan is to roll out the personnel surety program,” Graydon said. “We’re going to do an implementation notice and we’re going to phase it in. So you don’t have to do anything until we contact you, but we want you to think about how you’re going to go about implementing your groups, how you’re identifying certain individuals with access to the COI that are going to be required to be vetted … and then which option you want to choose.”
Ways to implement terrorist screening provisions (currently for Tiers 1 and 2) include:
• Direct vetting through DHS’s online tool
• Verifying credentials through DHS’s online tool
• Using an electronic credential reader, like TWIC
• Visual verification of a credential
“We anticipate it will take us at least two-plus years to get to all 3,000 facilities that are in Tiers 3 and 4,” Graydon said.
Graydon said, to date, 75% of CFATS facilities have implemented planned measures that reach DHS standards, 55% improved security from their first submission to their current plan, and more than 3,000 facilities voluntarily modified chemical holding or processes to avoid the high-risk category, including adding cameras and alarms, bolstering training, designating restricted areas and conducting background checks.
DHS also streamlined the Top-Screen process, which used to take six hours and now takes only 13 minutes, Graydon said.
“Industry is recognizing things can be done, and you can take some time to think about it and make the capital investment,” Graydon said.