You are here

Home > Topics > Critical Infrastructure Security > Chemical Security > Chemical Security Assessment Tool > Chemical Security Assessment Tool (CSAT) Site Security Plan (SSP) Revisions

Chemical Security Assessment Tool (CSAT) Site Security Plan (SSP) Revisions

In deploying the Chemical Security Assessment Tool (CSAT) 2.0 and the revised tiering methodology, all chemical facilities of interest and covered chemical facilities will be required to resubmit Top-Screens using the revised Top-Screen survey. Facilities that have previously submitted a Top-Screen will be individually notified of their submission deadline on a rolling basis, but may choose to submit prior to notification. Facilities that were previously granted an indefinite extension, that are statutorily exempt, or that no longer have holdings of chemicals of interest (COIs) will not be required to resubmit a Top-Screen.

After completing the Top-Screen, facilities may or may not receive a new tier. This does not mean that all facilities will be required to submit a Security Vulnerability Assessment (SVA) and Site Security Plan (SSP). Rather, facilities will have to submit a SVA and SSP if either:

  1. The facility was previously not tiered 1, 2, 3, or 4 and receives a tiering letter indicating it is now a tier 1, 2, 3, or 4 facility, or
  2. The facility receives a revised tiering, and its security posture in its current SVA and SSP does not address all of the tiered chemical(s) of interest (COIs) and security concerns at the new tier levels. Facilities may contact DHS if they need assistance in making this initial determination. Ultimately, DHS will determine if an SSP contains measures adequate for the new risk tier.

Facilities will continue to be required to submit revised SVAs and SSPs as part of the regulatory cycle, such as after an Authorization Inspection. This may occur prior to the facility submitting a revised Top-Screen. Facilities that fall under the first category above and are completing the SVA and SSP surveys for the first time are encouraged to utilize the SVA/SSP Instructions Manual to complete the surveys.

For facilities that have previously submitted the SVA and SSP, the majority of their previously submitted information will be pre-populated into the new survey. Although CSAT 2.0 drastically reduces the number of overall questions, the tool includes some new questions and sections, which are outlined below to help facilities that fall into categories 1 and 2 above revise their surveys in an effective and efficient manner. For more information on the CSAT 2.0 SVA/SSP surveys, see the CSAT 2.0 SVA/SSP Instructions.

Quick Tip: Any of the questions below identified as new will be blank when a facility first opens the SSP. Facilities can quickly identify and jump to these questions by selecting the “Validate and Submit” button on the left-hand navigation tool. This tool will identify all unanswered questions and will allow the facility to jump straight to the new questions.

Security Vulnerability Assessment

When revising the SSP for the first time in CSAT 2.0, all facilities will be required to answer a few new SVA questions. These include:

  • Reviewing the currently tiered COI and voluntarily adding any non-tiered COI
  • Identifying the methods of use of the COI (i.e. manufacture, ship, sell, and/or receive)
  • Identifying critical assets and associating COI to each asset
  • Identifying detection measures and vulnerabilities in detection capability
  • Identifying delay measures and vulnerabilities in delay capability
  • Identifying response measures and vulnerabilities in response capability
  • Identifying cybersecurity measures and vulnerabilities in cybersecurity
  • Identifying policies, procedures and resources and vulnerabilities in the ability to manage the security posture

SSP Options

After completing the SVA, facilities that have chosen to submit an Alternative Security Program (ASP) or Expedited Approval Program (EAP) will receive the option to select ASP/EAP and have the ability to upload their documents.

SSP Detection

When answering many of the questions in the detection portion of the SSP, facilities will be asked to select whether the measure applies to the perimeter and/or critical assets. This section is in lieu of the previous SSP assets section. Based on the identified critical assets from the new SVA, the following questions should be revisited to correctly identify the location(s) to which the measure applies:

  • Q3.10.070 Mobile Patrols
  • Q3.10.120 Intrusion Detection Systems
  • Q3.10.180 through Q3.10.230 Intrusion Detection Sensors
  • Q3.10.290 and Q3.10.310 Closed Circuit Television (CCTV)

In addition, there are some new questions that facilities will need to address, such as:

  • Q3.10.050 Personnel Presence. This question will now allow the user to more clearly define the hours of operation for the facility and replaces the previous SSP questions on work shifts.
  • Q3.10.400 through Q3.10.420 Inventory Controls. These questions will allow the facility to better define and quantify the frequency of their chemical inventory program.

SSP Delay

When answering many of the questions in the delay portion of the SSP, facilities will be asked to select whether the measure applies to the perimeter and/or critical assets. This section is in lieu of the previous SSP assets section. Based on the identified critical assets from the new SVA, the following questions should be revisited to correctly identify the location(s) to which the measure applies:

  • Q3.20.030 through Q3.20.160 Perimeter Security. These questions include measures such as fences, gates, walls, doors, and locks.
  • Q3.20.430 and Q3.20.440 Access Control Systems
  • Q3.20.560 Anti-Vehicle Measures

SSP Response

This section of the SSP does not contain any new or changed questions.

SSP Cyber

To better understand a facility’s cybersecurity posture, CSAT 2.0 includes a new section (Q3.40.400 through Q3.40.430) that requires facilities to identify and describe cyber control and business systems.

SSP Security Management

In order to more clearly identify the population of individuals that require background checks under Risk-Based Performance Standard (RBPS) 12, CSAT 2.0 includes a new question (Q3.50.320 Types of Affected Individuals) that requires facilities to define their affected individuals.

In addition, Tier 1 and 2 facilities will also see questions that address RBPS 12(iv). Questions Q3.50.330 through Q3.50.550 allow facilities to identify the options chosen and measures used to implement those options for compliance with RBPS 12(iv).

Finally, CSAT 2.0 includes a new question (Q3.50.710) that is an affirmation of compliance with recordkeeping requirements under 6 CFR 27.255. This question replaces fifteen questions in the previous survey.

Last Published Date: October 19, 2016

Was this page helpful?

This page was not helpful because the content:
Back to Top